Bug bounties encourage researchers to be motivated by money rather than pushing for a safer environment.
Speaking to IT Security Guru, Cris Thomas, technical manager at Tenable and former L0pht member Spacerogue, said that the group’s efforts were in an aim to get security right and get things fixed. Asked if he felt that the introduction of bug bounties has made things better, he said he “wouldn’t call it better now”.
He said: “Because of the bug bounty programmes you have a marketplace, it is not about fixing bugs it is about putting dollars in your pocket. If you find a bug you should get paid for your work as people forget that stuff we did 15 years ago was in addition to day jobs, so we had day jobs to pay for our research. We did our L0pht stuff and found vulnerabilities for fun.
“Now there are people who get enjoyment out of finding vulnerabilities, but also want to get paid and rewarded for their effort and time, and I don’t see a problem with that, but it creates a lot of other issues as well as you create a marketplace and you have Governments buying vulnerabilities and stock piling them so that they do not get fixed. That is something I cannot agree with, I want to see stuff get fixed.”
Thomas said now security issues are found in areas where they were not thought of to look for before. Joe Grand, who was the L0pht member Kingpin, said that the group members were not getting paid as there wasn’t much of an industry, and now Microsoft pays $100,000 for finding a bug.
“That changes things for people who want to get paid and not to make things better. We have grown up and have jobs and families, but there will always be a younger generation and people who grew up the same way we did, hacking things in the basement,” he said.
“In the security industry and in technology, there is a lot of money floating around now, so the ambition to create a group is always going to come back to money, whereas at the L0pht money was not the thing, it was doing what we wanted to do.”
Thomas called a lot of bug bounty programmes “great, as they motivate people to find bugs and companies to fix them”, but said that is a small factor of what software is rewards findings of bugs, as 99 per cent of it has no bounty so there is no incentive to fix anything.
Christien Rioux, aka Dildog, said that the people selling the exploits are not those doing the hacking. “Also it takes a long time to make an exploit – a weaponised exploit that is perfect and executes can take six to nine months and that is a long time for a developer so they have to find a way to monetise that and it requires hundreds of people buying it for a few hundred dollars a time. That’s where the economy makes it explode a little bit.”