The Internet Bug Bounty project has been expanded to include a bounty for tools and techniques that aid in vulnerability discovery and determining exploitability.
According to research by HackerOne, MIT and Harvard, creating incentives for tools and techniques that support vulnerability discovery is a more efficient way for defenders to drain the offense stockpile of zero-day vulnerabilities, and bug bounties are still effective to help find vulnerabilities faster, especially for less mature software.
Katie Moussouris, chief policy officer at HackerOne, said in a blog that over the years, bug bounties have proven to be an effective way to incent researchers to find and report individual vulnerabilities to the defense players and as the stakes and cash have risen in the market for vulnerabilities, the opportunity to sell to both offense and defense markets has increased.
“The defense players will try to mitigate the risk or patch the vulnerability, while offensive use of a vulnerability can range from nation-state-sponsored attacks, to surveillance of civilian populations by their Governments, to use in law enforcement operations, to criminal activity, to hacktivism, to simply causing mayhem,” Moussouris said.
“Some of the leaked Snowden documents confirmed what most in the security industry already know: Governments, including the US, are major players in purchasing vulnerabilities at high prices to use for offense purposes. These same Governments are also tasked with defending national security and critical infrastructure, and the choices they make of whether to turn a security hole over to the appropriate software vendor to fix it, or to add it to a stockpile of potential weapons is an interesting conundrum.”
Acknowledging that individual organisations want to reduce the number of security bugs in their infrastructure, Moussouris recommended that businesses first invest in their Security Development Lifecycle, and then offer individual bug bounties as an ongoing security quality assurance measure to catch the vulnerabilities they missed.
“It’s also a way to find great defenders with the hacker mindset to hire,” she said. “For more mature software, organisations should try creating incentives for tools and techniques in addition to any individual bug bounty to specifically increase the rate at which they can find the same bugs as the offense side has stockpiled.”
She also recommended the wider industry get behind the Internet Bug Bounty concept, saying that it was established to recognise and reward security research that improves critical Internet infrastructure including the OpenSSL library, the Apache and Nginx Web servers and the Ruby, Python, PHP and Perl programming languages, among others.
Tod Beardsley, Rapid7’s engineering manager, said that he was excited by the concept, as the Rapid7-owned Metasploit Project is a largely community-driven, volunteer effort that relies on the goodwill of researchers to share their findings with the world, and he said that we don’t seem to be running out of useful exploits to demonstrate risk.
“However, as the researchers on the zero-day market have found, there are many incentives out there for keeping bugs secret and using them for purely offensive purposes,” he said.
“I’m glad to see the IBB and HackerOne take a lead on guiding and focusing the exploit efforts of the “good guys.” Organised crime is, by definition, organised, and I know that the greater open source security research community can lack focus in the face of so many vulnerabilities being published on a daily basis.
“As a side effect of incentivising researchers to teach each other how to better conduct exploit R&D, I feel like these efforts of the IBB will also help prioritise what kind of research is the most useful and fruitful, by making it easier to rediscover the secret vulnerabilities already being stockpiled today.”