Bug bounties: Outbidding the black hats

Google, Mozilla, and others offer cold cash to find software flaws before the bad guys do. Should your company do the same?

Page 2 of 2

There's another reason why many experts are opposed to the idea of bug bounties, however, which is that it tends to encourage the concept of a commercial market for software vulnerabilities -- a market in which software vendors can't realistically compete. As my Infoworld.com colleague Roger Grimes has observed, organized computer criminals might offer as much as $100,000 for an exploitable OS bug, a figure that makes any legitimate bug bounty look paltry in comparison.

Who will claim the rewards?
But while it's true that payouts of a few thousand dollars are unlikely to inspire any independent developer to make a career out of tracking down other people's bugs -- especially when a black hat group might offer many times more for one-time information -- they're still nothing to sneeze at. As Johnathan Nightingale, the director of Firefox development, says, "In a lot of the world, $3,000 is a big deal, and our contributions come from lots of places."

What's more, unlike their real-world namesakes, many bug bounty hunters don't seem to be motivated by money. According to Nightingale, more than 1 in 10 bug hunters actually turn down the bounty. For these researchers, it seems, the chase is better than the catch, and just the fact that the contest exists is enough to inspire them. Microsoft cites this as yet another reason not to offer bounties at all, though this seems like a specious argument at best.

There's one more point that often gets overlooked when weighing vendors' bug bounties versus the fees offered by criminal organizations: Black markets for bugs are just that -- black markets. Legitimate software developers' code is subject to copyrights, patents, and contracts with their employers. No such protections exist for software exploits. Even if hackers sell a newly discovered vulnerability to a black hat group, who's to say they wouldn't also redeem the bounty from the vendor? Honor among thieves and all that -- best to leave all doors open.

Caught 'em. Now what?
It stands to reason, then, that every software shop should at least consider the option of offering bug bounties as a way to increase scrutiny of their code. But needless to say, locating software flaws is just a small part of the application development cycle. No matter what tools you use to track down bugs, unless you have processes in place that allow you not only to address the flaws, but to push the fixes out to customers on a timely and reliable basis, your efforts will have been wasted.

Remember "The Empire Strikes Back"? However much Darth Vader's subordinates complained, his plan to use bounty hunters to track down his enemies actually worked. By the end of the film, the top rebel leaders had all been lured into a trap, and space pirate Han Solo had been literally frozen into a statue.

The important thing, though, is what happened next, once the bounty hunters' job was done and the ball was back in the Empire's court. I won't spoil the movie for you. Let's just say that bounties can only accomplish so much; strategy and execution are everything.

This article, "Bug bounties: Outbidding the black hats," originally appeared at infoworld.com. Read more of Neil McAllister's Fatal Exception blog and follow the latest news in programming at infoworld.com. For the latest business technology news, follow infoworld.com on Twitter.

| 1 2 Page 2