Bug bounties: Outbidding the black hats

In “Star Wars: The Empire Strikes Back,” the villainous Darth Vader employed alien bounty hunters to track down enemies of the evil Galactic Empire. Not everyone in Vader’s camp agreed with the move. As the camera tracked across the motley group, one Imperial officer was heard to mutter, “We don’t need those scum.”

Opinion is similarly polarized in the software industry over the practice of offering “bug bounties”: cash payouts for developers who discover previously undocumented software flaws. Some experts say it’s a good way to encourage enhanced scrutiny and independent review of an application’s code base. Others say it’s little more than a distraction, one that can lull vendors into a false sense of complacency.

[ Keep current on the key software development news and insights with infoworld’s Developer World newsletter. | Stay up to date on the latest security developments with our Security Central newsletter. ]

Whichever side of the fence you fall on, the fact is that bounties are being paid for undisclosed software flaws. They’re just not always being paid by the vendor who developed the software. As ever more commercial data moves into the cloud and the stakes for cyber crime rise, black hat hackers are offering real money for exploitable bugs. In turn, when exploits happen, vendors may be held legally liable for any customer data that was compromised. Maybe it’s time more software shops thought seriously about using their own cash to turn the tide in their favor.

Big business in bugs Two of the highest-profile proponents of the bug bounty approach are Google and the Mozilla Foundation, which have engaged in a kind of informal bidding war for bugs in their respective Web browsers and services. Mozilla pays up to $3,000 for critical and high-severity bugs, while Google offers up to $3,133.70 (a play on a hacker spelling of the word “elite”).

To hear Google tell it, its program has been a resouniding success. In March, the search giant patched 19 bugs in its Chrome Web browser that had been discovered by independent security researchers. In turn, it paid out a total of $14,000 in bug bounties — equivalent to about one-sixth of a typical Google developer’s salary, according to PayScale.com. To offer the same value, a single full-time security analyst would have to spot about 10 new bugs per month.

But not every company agrees with the bug bounty approach. Microsoft, in particular, has long been a staunch opponent of the idea. It’s easy to see why. Both Chrome and Firefox are open source projects, while Microsoft offers only limited access to its source code through its Shared Source program. To create a bug bounty program with the breadth of Google’s or Mozilla’s, Microsoft would have to open its proprietary code to the rank and file. Besides being ideologically opposed to that idea, Microsoft engineers simply don’t believe it works and that organized code review within the organization is a better way to isolate defects.

There’s another reason why many experts are opposed to the idea of bug bounties, however, which is that it tends to encourage the concept of a commercial market for software vulnerabilities — a market in which software vendors can’t realistically compete. As my Infoworld.com colleague Roger Grimes has observed, organized computer criminals might offer as much as $100,000 for an exploitable OS bug, a figure that makes any legitimate bug bounty look paltry in comparison.

Who will claim the rewards? But while it’s true that payouts of a few thousand dollars are unlikely to inspire any independent developer to make a career out of tracking down other people’s bugs — especially when a black hat group might offer many times more for one-time information — they’re still nothing to sneeze at. As Johnathan Nightingale, the director of Firefox development, says, “In a lot of the world, $3,000 is a big deal, and our contributions come from lots of places.”

What’s more, unlike their real-world namesakes, many bug bounty hunters don’t seem to be motivated by money. According to Nightingale, more than 1 in 10 bug hunters actually turn down the bounty. For these researchers, it seems, the chase is better than the catch, and just the fact that the contest exists is enough to inspire them. Microsoft cites this as yet another reason not to offer bounties at all, though this seems like a specious argument at best.

There’s one more point that often gets overlooked when weighing vendors’ bug bounties versus the fees offered by criminal organizations: Black markets for bugs are just that — black markets. Legitimate software developers’ code is subject to copyrights, patents, and contracts with their employers. No such protections exist for software exploits. Even if hackers sell a newly discovered vulnerability to a black hat group, who’s to say they wouldn’t also redeem the bounty from the vendor? Honor among thieves and all that — best to leave all doors open.

Caught ’em. Now what? It stands to reason, then, that every software shop should at least consider the option of offering bug bounties as a way to increase scrutiny of their code. But needless to say, locating software flaws is just a small part of the application development cycle. No matter what tools you use to track down bugs, unless you have processes in place that allow you not only to address the flaws, but to push the fixes out to customers on a timely and reliable basis, your efforts will have been wasted.

Remember “The Empire Strikes Back”? However much Darth Vader’s subordinates complained, his plan to use bounty hunters to track down his enemies actually worked. By the end of the film, the top rebel leaders had all been lured into a trap, and space pirate Han Solo had been literally frozen into a statue.

The important thing, though, is what happened next, once the bounty hunters’ job was done and the ball was back in the Empire’s court. I won’t spoil the movie for you. Let’s just say that bounties can only accomplish so much; strategy and execution are everything.

This article, “Bug bounties: Outbidding the black hats,” originally appeared at infoworld.com. Read more of Neil McAllister’s Fatal Exception blog and follow the latest news in programming at infoworld.com. For the latest business technology news, follow infoworld.com on Twitter.