Forgot your password?
typodupeerror
Bug Government Programming Security The Almighty Buck

The Case For a Government Bug Bounty Program 53

Posted by Soulskill
from the 40-cents-for-a-cockroach,-75-cents-for-a-bedbug dept.
Trailrunner7 writes "Bug bounty programs have been a boon for both researchers and the vendors who sponsor them. From the researcher's perspective, having a lucrative outlet for the work they put in finding vulnerabilities is an obvious win. Many researchers do this work on their own time, outside of their day jobs and with no promise of financial reward. The willingness of vendors such as Google, Facebook, PayPal, Barracuda, Mozilla and others to pay significant amounts of money to researchers who report vulnerabilities to them privately has given researchers both an incentive to find more vulnerabilities and a motivation to not go the full disclosure route. This set of circumstances could be an opportunity for the federal government to step in and create its own separate bug reward program to take up the slack. Certain government agencies already are buying vulnerabilities and exploits for offensive operations. But the opportunity here is for an organization such as US-CERT, a unit of the Department of Homeland Security, to offer reasonably significant rewards for vulnerability information to be used for defensive purposes. There are a large number of software vendors who don't pay for vulnerabilities, and many of them produce applications that are critical to the operation of utilities, financial systems and government networks. DHS has a massive budget–a $39 billion request for fiscal 2014–and a tiny portion of that allocated to buy bugs from researchers could have a significant effect on the security of the nation's networks. Once the government buys the vulnerability information, it could then work with the affected vendors on fixes, mitigations and notifications for customers before details are released."
This discussion has been archived. No new comments can be posted.

The Case For a Government Bug Bounty Program

Comments Filter:
  • by Anonymous Coward

    No way they are going to buy these vulnerabilities and use them to spy on Americans or weaponize them.

    This week on Dog the Bug Bounty Hunter.... "Youngblood, get my port scanner I got a zero day cornered over here. Freeze motherfucker!"

  • by Anonymous Coward
  • by Raul654 (453029) on Friday May 31, 2013 @04:39PM (#43877571) Homepage

    This is essentially a government subsidy to software companies that produce crappy code.

    Look at Walmart. it pays its employees so little money that they have to use government assistance like foodstamps and medicare. Walmart shareholders reap the benefit, and the public is left taking care of their employees.

    Here's a better idea - if a company is making software that's critical to national infrastructure, make them liable for any bugs that occur (and for smaller companies, require them to carry insurance up to a certain level of liability).

    • by Raul654 (453029)

      Correction: I meant to said medicaid (which is for poor people), not medicare (which is for the elderly).

    • Here's a better idea - if a company is making software that's critical to national infrastructure, make them liable for any bugs that occur

      If someone implemented your idea a few decades ago, there would be no vulnerabilities today ... because the Internet, the World Wide Web, etc. would have never been created.

      • by Raul654 (453029)

        That's just not true. The internet and world wide web both existed in the early 90s, and neither was critical to national infrastructure at the time.

        • That's just not true. The internet and world wide web both existed in the early 90s, and neither was critical to national infrastructure at the time.

          So then as soon as they became critical, the original authors would have to assume billions in liability? Or would software be exempted if it was not critical at the time it was written? So the liability would only apply to things that were "critical" before they existed? It sounds to me like this hasn't been thought through very well.

          • by Raul654 (453029)

            It would be fairly easy to have DHS come up with a list of things (physical locations, services, etc) to designate as critical to national infrastructure. In fact, I'd be shocked if they don't already have such a list already.

            The organization that runs these these locations/services would have to build into all of their software contracts a liability clause.

            Problem solved.

            • The organization that runs these these locations/services would have to build into all of their software contracts a liability clause.

              Problem solved.

              Except the problem isn't solved. Our infrastructure is already underfunded. Making all the software cost ten times as much isn't going to help that. Every upgrade will also need new liability clauses and legal review. So upgrades will be less frequent, and our most critical infrastructure will be running the oldest and crappiest code, often written by companies that no longer exist because they were sued into bankruptcy. The military already learned this lesson: they found that the extremely expensive

              • by thoth (7907)

                There's a couple of logic holes here.
                First, who wrote that mil-spec software? Was it a contractor or private corporation? Ah, so the real blame on unreliable expensive software is with some private corporation, not the government, right?
                As for COTS being more effective, that's great assuming the critical infrastructure can be run on COTS.

                As far as this bug bounty, it is a terrible idea. Sorry corporate America, if you want to keep your code private and reap the corresponding profits, you also get to assume

                • by socode (703891)

                  If it was mil-spec, there should have been a pretty stringent acceptance process. Why would anyone sign up to unlimited liability?
                  -there was an agreed spec
                  -the client set the acceptance criteria
                  -they delivered what was in the spec
                  -triggering acceptance finalizes the contract and their liability is limited

    • by kamelkev (114875)

      Agreed. Reminds me of Scott Adams' famous "Write me a new minivan" Dilbert comic:

      http://search.dilbert.com/comic/Write%20Minivan

      The only viable solution is to assert a cost to the providers of the software. If said cost is linked to such a bounty program, all the better - but you clearly cannot create a scenario in which writing bad code somehow ends up benefiting the software producers.

    • by h4rr4r (612664)

      It is worse than that.
      Walmart actually teaches its employees how to file for these benefits and markets these programs to them actively.

  • Will there be a bug bounty program for our codes of law, or do I still have to be in a corporation and pay them for my fixes [opensecrets.org]?

    • That was my first thought. Why can't we point out loopholes in the tax code and get a portion of the proceeds from tightening the legal code?

      Why can't we interface prosecutorial databases and law books to find statutes that haven't been enforced in several decades & argue for their dismissal?

      Actually, that would make a pretty fun platform when it comes to running for an elected office.
      Find useless red tape & I'll work to eliminate it. Find tax loopholes & I'll close them.

  • by WillgasM (1646719) on Friday May 31, 2013 @04:44PM (#43877625) Homepage
    Is the reward money enough to get me out of federal prison when I'm arrested for unauthorized access?
  • Some software authors would intentionally create bugs that their accomplices would then "discover".
  • by thoth (7907)

    This sounds like a terrible idea. There are times the government should get involved in something, and time they shouldn't. This is one of those times they shouldn't.

    It isn't the charter of any federal agency to shore up the products of private corporations. Corporations should be doing that anyway, and under the typical free market is awesome attitude most users here have, the expense of paying for bug discovery and fixes should factor into the corporation's pricing, profits, potential liability (haha) and

  • When you find the bug, they are just going to throw you in jail like they do with other vulnerability exposers. Then they'll offer you an out - be employed by them permanently at crap wages to avoid prison time.
    • by idontgno (624372)

      Kinda like Snake Plisskin, except without the the tattoo, the eyepatch, the stealth glider, the weapons, or the general bad-assedness. Like Snake without the cool stuff. A nerd Snake.

  • But the opportunity here is for an organization such as US-CERT, a unit of the Department of Homeland Security, to offer reasonably significant rewards for vulnerability information to be used for defensive purposes. There are a large number of software vendors who donâ(TM)t pay for vulnerabilities, and many of them produce applications that are critical to the operation of utilities, financial systems and government networks.

    Why should the government subsidize these businesses?
    I wouldn't have a problem with it if the program was revenue neutral, meaning the companies had to pay the government to essentially run a bug program for them.

    Alternatively, instead of the carrot, how about the stick?
    Penalize companies that refuse to implement secure design/coding practices and penalize them separately if their hardware/software comes out insecure.

  • by h4rr4r (612664) on Friday May 31, 2013 @05:09PM (#43877857)

    Instead of this why not just give our tax dollars away to big vendors?

    A simple tax giveaway would be cheaper to administer and have the same end result.

    Why in the world is this even an option?

  • I'd like to report a bug. I submit my taxes online, but don't get refund checks. Instead I keep getting certified nastygrams.

    Clearly there's some major flaw going on.

  • If Homeland Security said,"It is okay, attack our servers, our power grid, and other infrastructure. We'll pay you if you find a vulnerability." Then they can't just haul you to jail if you attempt it. I always thought,"Don't mess with the stuff to begin with" was a significant deterrent for most people. Now, you might say,"Fix it before an enemy of the state uses it for true detrimental means", well then you'd have to argue with brass who have to admit they were wrong all along.
  • What? You say that you caught me breaking into the CIA, FBI, the White House and another unnamed three letter agency? Naw, I was just participating in the Government sanctioned Bug Bounty Program. Proudly helping my country protect itself from evil-doers. If you don't believe that then I declare a fatwa on you and I want my Imam, I mean Lawyer.
  • Complete lack of voluntary support - as expounded upon by Marc Stevens (http://lrn.fm/shows/#NSP), Stephen Molyneux (http://freedomainradio.com/), Larken Rose (http://www.larkenrose.com/)... Oh yeah, and Lysander Spooner (https://en.wikipedia.org/wiki/Lysander_Spooner)
  • In cases of murder, the first thing the police do is investigate the spouse, especially if they are the one who say, came home and discovered their wife had been killed. They are considered the initial suspect.

    I would be surprised if anyone who reported a bug wasn't likewise investigated to see what they might have done right after they discovered it. Seems like a person would be opening themselves up to some possible grief doing this.

  • Now companies create crappy software with bugs, and then get government subsidized software security testing.

  • If I understand correctly, this is about government doing bug bounty programs for vendors that do not? That looks like an incitation for vendors to not do it, since government will. Except of course if we introduce a tax on vendors that do not have bug bounty programs.
  • There is a bug bounty system for FOSS projects at http://ospif.org/ [ospif.org] - which is designed to reward improvements to Open Source projects.
  • The US Government will never allow a random citizen leverage over it, nor to provide for any obligation to that citizen due to the help they've contributed (ask many veterans).

  • Is the government going into the software publishing business? No? Then why should the government be paying for other corporations mistakes. If anything they should be fining the corporations. Giving the corporations more incentive to find bugs.
    We don't need to be finding a way for DHS to spend more money, we need to find a way to get rid of DHS.

You know that feeling when you're leaning back on a stool and it starts to tip over? Well, that's how I feel all the time. -- Steven Wright

Working...