SAN FRANCISCO -- Combining a deep understanding of the economics, mechanics and politics of bug bounties with generous helpings of pop culture referen
SAN FRANCISCO — Combining a deep understanding of the economics, mechanics and politics of bug bounties with generous helpings of pop culture references, long-time bug bounty proponent and founder and CEO of Luta Security Katie Moussouris explained how over-reliance or lack of understanding can hamper the effectiveness of bug bounties — but there are ways to keep bug bounties and avoid some of the bigger pitfalls.
Despite spending billions of dollars over many years in efforts to secure systems of all kinds, the breaches keep coming. Moussouris, who helped Microsoft set up one of the first big bug bounty programs in 2013, warned that over-reliance on bug bounty programs can be unproductive because many programs are structured in ways that pay bug hunters top dollar for “low-hanging fruit” vulnerabilities.
“I like bug bounties and I cannot lie,” Moussouris said, “I am one of the biggest proponents of bug bounties,” but she added that there are ways to use them wisely — as well as “pitfalls and traps.”
“We are in quite a bit of danger of jumping the shark with this concept if we’re not careful, but we do have the ability to course correct.”
Jumping the shark — what occurred in the TV show “Happy Days” when the writing staff ran out of ideas and had the popular character Fonzie waterski over a shark — is a possibility for bug bounty programs because they, like “Happy Days,” are very popular but are endangered by their own success.
Bug bounty programs: not quite perfect
For companies that walk into their first bug bounty program with high expectations, there may be some surprises according to Moussouris. For starters, when a global bug bounty program begins, the company needs to understand that there may be an elevation in what appears to be malicious activity, so they need to find a way to differentiate the attacks that come from malicious actors from the activity of bug bounty hunters.
There is also the issue of how to deal with a sudden influx of bug reports. Simply doing triage on non-spam inbound email can be a massive task; Moussouris said that Microsoft receives between 150,000 and 200,000 non-spam inbound email messages to the email@example.com account, and the job of sorting through it all –despite six-figure salaries with full benefits at Microsoft — was described in 2007 as one of the worst jobs in science, and had the highest turnover of any job in the Microsoft Security Response Center.
Perhaps the greatest danger for bug bounty programs may be that some pay premiums for pretty ordinary vulnerabilities. Moussouris said that the majority of bug bounty bugs were due to cross-site scripting (XSS) and breaches caused by the easy to spot vulnerabilities like XSS and unsecured AWS S3 buckets.
How to stay away from perverse incentives
While bug bounty programs with six-figure bounties may get a lot of attention, they may tend to provide what Moussouris described as “perverse incentives” for developers as well as bug bounty hunters: many bug hunters are happy to report bugs in exchange for the public recognition, or even for something as simple as a challenge coin.
Developers may also be tempted, as shown in a 1995 Dilbert cartoon, to add, or at least not fix, bugs that they’ve put into the code themselves. And even if they aren’t tempted by large prizes, developers still add bugs to their code in large part because security is not a part of most top computer science curricula in the U.S.
Action items for better bug bounty programs
When considering bug bounty programs, organizations should be willing to do the homework, which Moussouris suggested starts with auditing systems and software first to eliminate the easy to find bugs, followed by building a sustainable internal vulnerability handling process that will help defenders learn from every bug found so that entire classes of similar vulnerabilities can be eradicated.
Other, longer term goals include building a balanced workforce by hiring and outsourcing appropriately. And at all times, Moussouris urged defenders to be conscious of perverse incentives and remember to question anything that appears to be too good to be true.