Strategy, Vulnerability management

Black Hat 2010: Some vendors oppose “bug bounty” programs, researchers disagree

July 28, 2010

So-called “bug bounty programs,” which offer security researchers monetary incentives for the disclosure of security vulnerabilities and exploits, are not the best strategy for improving internet security, senior security professionals at Cisco and Microsoft said during a talk at the Black Hat conference in Las Vegas.

But, in the session called  “Optimizing the Security Researcher and CSO Relationship," other panelists said bug bounty programs are beneficial because many researchers believe that their work is unappreciated since their bug disclosures are often compensated with nothing more than a "thank you" by the affected vendor.

Currently both Google and Mozilla provide monetary rewards for the disclosure of security bugs. In late January, Google announced it would offer up to $1,337 for bug finds in Chromium. Mozilla, provider of the Firefox browser, offers a similar initiative known as the Security Bug Bounty Program, offering rewards of up to $500.

Both companies since have upped their rewards.

Meanwhile, Microsoft, makers of Internet Explorer, do not offer cash prizes for vulnerability disclosures.

Andrew Cushman, senior director of strategy in Microsoft's Trustworthy Computing Group, said vulnerabilities certainly have value but he does not think providing a bug bounty is the best way to improve internet security.

Microsoft, however, recently dropped the term "responsible disclosure" and unveiled an initiative known as "coordinated vulnerability disclosure" as a means to get researchers and vendors to better align their motives.

Another panelist, John Stewart, CSO of Cisco, also said he is not in favor of bug bounty programs.

Security researchers who voluntarily disclose vulnerabilities should be motivated by the goal of making the internet more secure, Stewart said. Providing cash for bug disclosures could shift researcher motivations from making the internet a better place to just making a profit.

Further, if monetary rewards for bugs become commonplace, then a vendor might be the last to find out about a bug in its product if it is not the highest bidder, Stewart said. 

Many times, in fact, security researchers are happy simply with receiving credit for finding bugs because such acknowledgement allows them to ultimately profit by building a reputation for finding vulnerabilities.

To that point, David Litchfield, researcher and founder of database security software vendor V3rity said researchers have been receiving nothing more than a “thank you” for years.

“The ‘thanks' is wearing a bit thin,” he said.

Another panelist, Alex Stamos, researcher and founder of security consulting firm iSEC Partners, who is in favor of bug bounty programs, said that simple name recognition does not “pay the mortgage.”

Members of the security research community have grown up, many have families and need to make money, he said. Plus, it is “incredibly hypocritical” that researchers have been expected to work for "thanks" when dealing with extremely profitable companies.

Being able to discover vulnerabilities and exploits is an “incredibly valuable, rare skill” that should be a valuable business, he said.

Meanwhile, another panelist, Robert Lentz, former chief information security officer at the Department of Defense, said he sees both sides of the argument and suggested that major vendors and the government establish a Nobel Prize-like award for security research, with a substantial monetary award attached.

He added that security conferences should devote more time to recognize the work of researchers that have helped make the internet safer.

prestitial ad