Despite the advent to bug bounty programs and enlightened vendors, researchers still complain of abuse, threats and lawsuits.
Despite huge progress in the vulnerability disclosure process, things remain broken when it comes to vendor-researcher relationships.
Case in point: Last year when Leigh-Anne Galloway (a cybersecurity resilience lead at Positive Technologies) found a gaping hole in the Myspace website, she reported it to Myspace owner Time Inc. But then days, weeks and then three months later crickets.
The Myspace bug wasn’t small. It allowed a hacker to log in to any one of the 3.6 million Myspace active users’ accounts in a few easy steps. “It was a straightforward bug, and easy to execute and reproduce,” Galloway told Threatpost.
After giving up on Time Inc., Galloway weighed the public risk of the bug versus going public. Galloway decided to publish her research. “Within hours of my blog posting, the bug was fixed,” she said. Neither Time Inc. or Myspace ever got back to her.
A year later, things haven’t improved much: Last month, Galloway found several bugs in mobile point-of-sale platforms. After privately disclosing the bugs to the vendors, they didn’t ignore her, but she was threatened with multiple lawsuits for reverse-engineering copyright-protected intellectual property.
“I can’t say personally I’m seeing a lot changing,” she said.
The System is BrokenVulnerability disclosure has long been the third rail in the relationship between researcher and vendor. While bug-bounty programs have been a step in the right direction, friction still exists for a meaningful percentage of vendors and researchers.
“The relationship between vulnerability researcher and vendor in the context of disclosure is broken,” said Casey Ellis, chairman, founder and CTO of bug-bounty platform Bugcrowd. “If you look at the entire ecosystem of companies and researchers especially outside the scope of a bounty program it still needs to be fixed.”
Experts say that murky non-disclosure agreements and unclearsafe-harbor rulescontribute to the problem; as does companies deathly afraid their bugs will become public. Another issue is opportunistic researchers eschewing responsible disclosure in favor of selling vulnerabilities to the highest bidder.
The diffuser of those tensions has been the rise of programs such as HackerOne, Bugcrowd and over a dozen others that have commoditized the communication, workflow and prices of vulnerability research. Threat intelligence and analysis firm EclecticIQ for instance estimates bounty programs keep about 80 to 90 percent of vulnerability disclosure relationships with vendors on an even keel.
“Of the 18,000 bugs found and fixed, we have avoided legal action on all of them,” said Marten Mickos, CEO of HackerOne. “There is work to be done, but bounty programs have eliminated most of the friction between researchers and vendors,” he said.
Room for Things to Go WrongDespite the progress being made with bug-bounty projects, there’s still plenty of room for things to go awry. And recent examples are plentiful.
For instance, Microsoft was recently put in the hot seat when a Twitter user going by the handle @SandboxEscaper expressed exasperation in Microsoft’s bug-submission process and publicly disclosed a zero-day flaw.
Other examples include Google’s Project Zero, which was recently accused of playing politics by Epic Games when it disclosed a bug tied to the Android version of company’s popular Fortnite game . And, after the makers of the cryptocurrency wallet Bitfi declared their product “unhackable” ― and offered $250,000 to anyone who could compromise it the wallet (of course) was cracked. No bounty was paid and the company has rescinded its bounty offer.
Meanwhile, a 2017 HackerOne study found that 94 percent of the Forbes Global 2000 do not have official vulnerability policies at all.
Pen-Testing vs. Bounty ContestsWhile experts disagree on the depth of the problem, Katie Moussouris, founder and CEO of Luta Security, said when it comes to bounty programs, ambiguity often leads to problems between researchers and vendors.
“People are confusing bug-bounty programs with legitimate penetration testing contracts,” she said. “The difference is that pen-testers are hired to find vulnerabilities within a company and are paid and are protected legally whether they find a bug or not.”
Bounty hunters, on the other hand, are involved in “competition” for uncovering new flaws, and are only paid when they find a vulnerability. They’re not always shielded legally, and have to adhere to binding non-disclosure agreements tied to the bugs that they find, in accordance with the bug-bounty programs they are involved with.
“Only the first person to find a bug gets the bounty money,” Moussouris explained. “The vendor can also say they already found the bug and they are not going to pay you. Now, the researcher is still stuck with that non-disclosure agreement. And then what happens if the vendor decides they are never going to fix that bug?”
She added, “When that happens, that’s an abuse and a perversion of the bug bounties.”
Moussouris, a tireless advocate for improving vendor/researcher relationships, said bounty programs have accelerated change for the better, but bug-bounty programs have failed to solve big issues. Aside from issues around bug non-disclosure rules, protecting hackers with safe-harbor provisions has had only middling success.
Safe HarborSafe-harbor frameworks shield researchers from legal action if a vendor threatens a white-hat hacker with a lawsuit on the grounds of compromising its technology.
“The current U.S. main federal anti-hacking laws, the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act, along with notable public incidents, have had a chilling effect on the security researcher community,” wrote Amit Elazari, a University of California at Berkeley doctoral candidate, in a post on Bugcrowd’s website. “The ambiguity of existing laws and lack of frameworks surrounding protocols for ‘good-faith’ security testing has sometimes resulted in legal implications for ethical hackers working to improve global security.”
Bugcrowd proposed a vendor-agnostic project to standardize best practices around safe harbor, called Disclose.io , with the goal to push forward an Open Source Vulnerability Disclosure Framework that the industry can rally around.
There are also copious specific vulnerability and disclosure frameworks. They include those from U.S. CERT , ISO , IETF ,