Barriers remain for bug bounty bait

More software businesses are now offering a bounty to security researchers, or whitehats, to uncover and disclose vulnerabilities but it remains to be seen if other vendors are willing to take that approach.

Efforts to pay security researchers for reporting vulnerabilities in software are not new. Back in 2002, iDefense introduced its Vulnerability Contributor Program, while the Mozilla Foundation in 2004 said it would pay US$500 for each serious bug identified in its browser. TippingPoint in 2005 launched its Zero Day Initiative (ZDI), pledging to pay hackers that report security vulnerabilities.

Last week, Google hopped onto the bounty bandwagon when the Internet giant rolled out its own incentive scheme for bugs identified in its Chrome browser. Crediting Mozilla for the idea, Chris Evans from Google's Chrome security team, noted in a blog post that the move was a way to recognize researchers currently active in the security industry, as well as to recruit more external contributors.

"For existing contributors to Chromium security--who would likely continue to contribute regardless--this may be seen as a token of our appreciation," Evans wrote. "In addition, we are hoping that the introduction of this program will encourage new individuals to participate in Chromium security."

"The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be," he added.

Negative initial sentiments
The approach of offering a bounty for responsible disclosure of vulnerabilities was not always well received, though, some of these sentiments may have changed over time.

In an e-mail interview, Pedram Amini, manager of security research at TippingPoint, pointed out that the emergence of the whitehat market in 2002 "was for the most part, negatively received among researchers". This, he noted, has changed over the years.

"Increasingly, more and more well-respected researchers are supporting the 'no more free bugs' movement," said Amini. "These researchers point out that vulnerabilities have legitimate value and, therefore, should not be made available to vendors free-of-charge."

While he acknowledged that efforts such as the ZDI, which has to date reported 350 vulnerabilities, are unable to "compete price-wise" with the underground economy, Amini noted that selling on the "black or grey markets" requires more effort.

"Vulnerabilities sold on the black market must also come with a packaged attack ready to exploit the vulnerability," he explained. "And the price may still vary based on how easy it is to 'weaponize' the attack, and how long it can go undetected."

On the other hand, security researchers can simply send a "crash report" with basic details about the vulnerability and the ZDI team, for instance, would "do the digging to uncover the actual flaw in the code".

Will others follow?
Despite researchers increasingly calling for payment for bugs, not all vendors are prepared go down this path and "definitely not anytime soon", said Amini.

"There are some vendors who treat the [issue] with the same hostility that governments respond to [when] negotiating with terrorism--meaning, they are vehemently opposed to paying researchers for bugs," he noted.

Concurring, Ovum's principal analyst Graham Titterington, said in an e-mail the practice of paying for vulnerability disclosure is not widespread.

It is not in the vendors' interest "to uncover bugs that would otherwise remain undiscovered", simply to ensure they have the information before the hackers do because the vendors incur additional costs, Titterington noted.

He suggested that the "utopian" solution going forward is to develop higher quality or vulnerability-free codes.

Mike Reavey, director of Microsoft Security Response Center, told ZDNet Asia in an e-mail that the software vendor "does not believe offering compensation for vulnerability information is the best way we can help protect our customers". Redmond will continue with its policy to credit researchers who practise responsible disclosure of vulnerabilities, Reavey added.

"It is our belief that compensation for zero-day vulnerabilities does not foster a community-based approach to protecting customers from cybercrime," he said. "Rather, collaboration with the research community and members of the industry is essential to effective security response practices as no one individual, company or technology, can secure the Internet alone."

Microsoft has previously offered rewards, albeit on an ad-hoc basis, to support an internal Windows Vista bug-hunting effort, as well as for information leading to the identification of the creators behind worms such as Blaster and Sasser.