Forgot your password?
typodupeerror
Security Bug Businesses The Almighty Buck

The Case For a Global, Compulsory Bug Bounty 81

Posted by timothy
from the perverse-incentives dept.
tsu doh nimh writes "Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products. This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their products. Stefan Frei, director of research at NSS Labs, suggests compelling companies to purchase all available vulnerabilities at above black-market prices, arguing that even if vendors were required to pay $150,000 per bug, it would still come to less than two-tenths of one percent of these companies' annual revenue (PDF). To ensure that submitted bugs get addressed and not hijacked by regional interests, Frei also proposes building multi-tiered, multi-region vulnerability submission centers that would validate bugs and work with the vendor and researchers. The questions is, would this result in a reduction in cybercrime overall, or would it simply hamper innovation? As one person quoted in the article points out, a majority of data breaches that cost companies tens of millions of dollars have far more to do with other factors unrelated to software flaws, such as social engineering, weak and stolen credentials, and sloppy server configurations."
This discussion has been archived. No new comments can be posted.

The Case For a Global, Compulsory Bug Bounty

Comments Filter:
  • Good luck getting many of the software corporations to sign up for this...
    • by jythie (914043)
      Well, if we were going to be in favor of this, I could see a company's underwriters requiring such a system or perhaps offering it as an insurance package.
    • The real problem is the assumption that all security glitches are equally bad.
      Sure at Hack-a-thons we see impressive I can break into this computer in under 5 minutes, however this is often in a controlled environment. Where they can pick and choose what services that they want on, assume that a lot of people hook their PC's up to Raw internet. And a bunch of businesses do this too.

      Now if there is a flaw on the World facing features such as a Web Browser or SSH client, yes that is serious. But if it is a

    • Good luck getting many of the software corporations to sign up for this...

      You know what "compulsory" means? It means you get to jail/fine any software companies who don't sign up for it, so I don't think much luck will be needed.

      • It means you get to jail/fine any software companies who don't sign up for it,

        And good luck getting a company to pay a fine. Or is this like the UACA where the government will reach into your bank account if you don't voluntarily hand over your money to private companies?

        If you're trying to stifle companies and drive them out of business, or make them go elsewhere, this is a good way to do it.

        But I guess living in your nanny state, that's the only way to get companies to produce better code.
        • And good luck getting a company to pay a fine.

          Are you serious? Companies pay fines all the time -- even big companies. Being a big company can mean you get to buy laws and control fines (ideally, set them so they're effectively a wrist-slap for you, but a body-slam to some upstart competitor), but once a court decides against you (and you've exhausted appeals, if applicable), you pay the fine.

          If you're trying to stifle companies and drive them out of business, or make them go elsewhere, this is a good way to do it.

          Well... yeah.

          But I guess living in your nanny state, that's the only way to get companies to produce better code.

          "My" nanny state? Are you so deep in an us-or-them mind-state that you're unable to consider that someone who does not support it could possibly crit

      • Re:Good idea... (Score:5, Insightful)

        by mlts (1038732) on Tuesday December 17, 2013 @12:07PM (#45715693)

        What will happen is that companies will spawn off sub-contractors which do all the coding and are completely offshore entities.

        For example, foocorp spawns off ABC Coders. ABC Coders just does business in one country, selling and maintaining its codebase to foocorp. Foocorp is just a customer, so if a government demands a bug bounty, they would have to go upstream to ABC Coders, and since ABC Coders does not do international business, they can give other nations the middle finger when it comes to their regulations.

        • What will happen is that companies will spawn off sub-contractors which do all the coding and are completely offshore entities.

          For example, foocorp spawns off ABC Coders. ABC Coders just does business in one country, selling and maintaining its codebase to foocorp. Foocorp is just a customer, so if a government demands a bug bounty, they would have to go upstream to ABC Coders, and since ABC Coders does not do international business, they can give other nations the middle finger when it comes to their regulations.

          If ABC is offshore, and sells to foocorp, then isn't that "international business" kind of by definition?

        • What will happen is that companies will spawn off sub-contractors which do all the coding and are completely offshore entities.

          No, what will happen is that $BIG_COMPANY will bribe^Wlobby $GOVERNMENT to make sure that no such compulsory program ever exists.

      • Re:Good idea... (Score:4, Insightful)

        by ultranova (717540) on Tuesday December 17, 2013 @01:41PM (#45716967)

        You know what "compulsory" means? It means you get to jail/fine any software companies who don't sign up for it, so I don't think much luck will be needed.

        So in other words, this is about killing off independent developers. Only companies who can afford $156,000 per bug will be able to distribute programs. Free software will, of course, die overnight.

        So... Apple or Microsoft?

  • Silly (Score:5, Insightful)

    by Nerdfest (867930) on Tuesday December 17, 2013 @08:53AM (#45713177)

    This is silly. Allit would do it force black markey prices up and push smaller companies out of business. It would probably also raise insurance rates for software companies and the cost of software in general. Of course, it would laso probably push up the rates for competent software developers.

    • by weilawei (897823)
      It might push the rates up, but that extra money would likely go to insurance. For reference, see what an anesthesiologist makes vs. how much they spend on insurance. (In 2009, this was $21,480, according to the AQI [slashdot.org]. Sadly, they've pulled the 2009 version and the 2013 version is paywalled. But you get the general idea.)
    • by Kookus (653170)

      ...Of course, it would laso probably push up the rates for competent software developers.

      I think you just made a case for proceeding with the article's proposal. At least, you just sold me on that idea!

    • by swillden (191260)

      This is silly. Allit would do it force black markey prices up and push smaller companies out of business. It would probably also raise insurance rates for software companies and the cost of software in general. Of course, it would laso probably push up the rates for competent software developers.

      I disagree, in part.

      I do agree that it would increase insurance rates for software companies and increase the cost of software. But I don't think that's a bad thing. We have a serious problem today with the amount of shoddy software being pushed out and placed in critical positions where defects can result in huge losses. Software that is an attractive target for attack should cost more, because the maker should invest more into it, in the form of the appropriate security due diligence.

      • by Nerdfest (867930)

        It would be nice to see software development treated like other skilled professions (engineering, medicine, etc) as long as the pay icreases with the responsibiity.

    • by sjames (1099)

      Agreed. It's worth noting that practically everything decent on the net started out too small to absorb even one such bug bounty.

      Would the first www browser have even made it into the wild if it carried that liability? I doubt it. Even if it did, Apache probably wouldn't have gotten far enough to form a foundation around it.

      Next up, who pays when the bug is at the protocol level (such as the pizza thief vulnerability in FTP)? The IETF? Surely we can't fairly charge a company that faithfully implemented the

  • The problem with this sort of program is the same problem that no amount of vulnerability fixing will ever address -- the human factor. Just as social engineering is probably the biggest weakness with most systems, something like this is going to be gamed by people who figure out how to profit from a program that companies are forced to participate in.
  • That's absurd (Score:4, Insightful)

    by DarkFencer (260473) on Tuesday December 17, 2013 @08:56AM (#45713221)

    That is an absurd argument. Yes some companies can and should offer bug bounties but if the only method you can rely on is out bidding the black market, then you've already lost.

    Not to mention, there are a lot of small companies, small foundations, and open source projects which could never afford such prices.

    • Re: (Score:3, Insightful)

      by Obfuscant (592200)

      Not to mention, there are a lot of small companies, small foundations, and open source projects which could never afford such prices.

      Who pays when a bug is found in the Linux kernel?

      • by vilanye (1906708)

        The Linux kernel project shouldn't be used when speaking in general terms about open source projects.

        The fact that there are many large companies investing in the Linux kernel project makes them different.

    • This is especially true given that the insane climb in zero-day prices in recent years has largely been driven by governments starting to buy them up as weapons. You cannot outbid entities that are able to both tax and print money, it's simply impossible. All that would do is result in the NSA spending more on zero days to ensure they still win, and bankrupt a lot of useful software companies.

  • Kill all startups (Score:4, Insightful)

    by mwvdlee (775178) on Tuesday December 17, 2013 @09:01AM (#45713259) Homepage

    I work for a startup. Not one of those few heavily-funded startups, but a regular startup with barely enough funding to scrape by in the first few years. Like most startups.

    $150,000 is just ever so slightly more than two-tenths of one percent of my startup's annual revenue.

    Asking an average startup to pay $150,000 for a security bug is like asking security researchers to work for $0.10 an hour.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      $150,000 is double the annual revenue of many smaller non american companies. (Think smaller companies with only two or three programmers - where a lot of the more useful/interesting software of the world comes from)
      Forcing something like this would be a disaster.

    • by jythie (914043)
      yeah, the selection of amount really seems kinda bias. Looking at the author's chart the person is really focusing on only the biggest of the big vendors.

      Though to be honest, I actually could see such a system benefiting everyone if it was forced on the big companies. Their software tends to be so wide spread that bugs in their stuff doesn't just impact their direct customers but has a watershed effect on the whole industry. So I could kinda see if a 'if you are so big your screw ups cause everyone prob
      • by dgatwood (11270)

        If we could just make it mandatory for browser plug-in vendors (Adobe, Microsoft, I'm looking at you two), it would go a long way towards improving security.

    • by swillden (191260)

      I don't think this would be so problematic for startups. They'd just end up buying insurance, the same way they insure a lot of other things. And the insurance companies would not only spread the risk, but they'd also actively require companies to mitigate the risk, by doing the right kinds of security reviews. Further, they'd almost certainly end up pricing the premiums differently based on the degree of risk posed by the software. If a startup is building a product that, if exploited, could lead to billio

      • by Wycliffe (116160)

        The only way the insurance would be reasonable would be if the bug bounty was not a fixed price. I.e. If I have
        1000 customer's credit card numbers then the bug wouldn't be worth near as much as if I had 100000 customers.
        But how do you do that with opensource software or does the company running it hold the responsibility?
        Also, if we are basing it on the "street value" of the bug then it still becomes insane. So if I find a bug that could
        cost microsoft $10M and the street value is 50 cents on the dollar t

        • by swillden (191260)

          The only way the insurance would be reasonable would be if the bug bounty was not a fixed price.

          Yes, that's the idea. Bug bounties would be set by the value of the vulnerabilities on the black market, so the prices would vary depending on the nature of the bug and the target. I'm doubtful that such a market would work, but if you assume that part of it does, then insuring against it would work well.

          That's probably worse than just waiting and letting it happen which is never going to be 100% and has at least some chance of recovering or mitigating the loss.

          Yes, that's the nature of insurance. If the actuaries do their jobs right, insurance is always, in aggregate and in the long run, a losing proposition. If you can afford the potential hit, you should not

          • by Wycliffe (116160)

            Yes, that's the nature of insurance. If the actuaries do their jobs right, insurance is always, in aggregate and in the long run, a losing proposition. If you can afford the potential hit, you should not buy insurance. But insurance makes a lot of sense in cases where the probability of catastrophic loss is relatively low but the impact is, well, catastrophic.

            But we're really talking about 2 different things:
            1) Insurance is actuaries calculating the probabilty of a loss payout, requiring you to fix know problems to lessen this risk but then just sitting back and waiting for a loss.
            2) A bug bounty is requiring you to pay a percentage of the loss even if there has never been an actual loss.

            The first presumably already exists in one form or another. I'm not sure the second is workable in the real world. The second would be like
            making an insurance company pay ou

            • by swillden (191260)
              I think you're drawing an artificial distinction. Given a regulatory requirement to pay a bug bounty, there would be an actual loss to be covered.
              • by Wycliffe (116160)

                I think you're drawing an artificial distinction. Given a regulatory requirement to pay a bug bounty, there would be an actual loss to be covered.

                Ok, to continue with my previous example then it would be like the government stepping in and telling everyone that if you
                find your neighbor's door unlocked that you can report it and get a check from their neighbor worth half of their stuff.
                This would obviously cause your neighbor to want to always lock their door and to also probably want to buy insurance to
                protect themselve from accidently leaving their door unlocked. But doesn't this seem a little drastic and prone to abuse?
                Doesn't your neighbor alread

                • by swillden (191260)

                  I don't think that analogy is useful. If you leave your door open, you're the one that stands to lose, but if vulnerabilities exist the software company (generally) isn't the loser, which is why it makes sense to impose some method of bringing the societal costs to bear on the company. In economic terms, vulnerability costs are largely a negative externality, while security costs are internalized. That's a recipe for incenting people to ignore security, and the general solution is to internalize the externa

      • How is the price of this insurance going to be determined for a company that just came into existence? There's no track record that can be used to establish the relative risk for producing bugs.

        • by swillden (191260)

          How is the price of this insurance going to be determined for a company that just came into existence? There's no track record that can be used to establish the relative risk for producing bugs.

          The nature of the software should provide a good basis for estimating potential damage (e.g. avionics control system vs twitterbot), and the tools and development processes used should provide a good basis for estimating risk of vulnerabilities. Indeed, much as I hate to admit it, the software industry could probably benefit from the level of rigor that insurance actuaries would apply, to both damage estimation and development methodology evaluation.

      • by Splab (574204)

        Yeah, heres an idea, create a company, get insurance, create bug riddled code, get someone else to turn them in and profit...

        This makes about as much sense as having firefighters paid on accord.

        • by swillden (191260)

          Yeah, heres an idea, create a company, get insurance, create bug riddled code, get someone else to turn them in and profit...

          Which is no different from "get an old building, buy fire insurance, have someone set it on fire and profit". Insurance fraud scams exist with every type of insurance in existence, and it doesn't prevent insurance from working.

        • by AmiMoJo (196126) *

          Firefighters kinda are paid on accord. If there are few fires then budgets are slashed and people laid off.

  • Srsly?... Global bug bounty? IMDB [imdb.com]
  • by SteveFoerster (136027) <steve@stevefo e r s ter.com> on Tuesday December 17, 2013 @09:09AM (#45713305) Homepage

    This idea is so ridiculous, I can't imagine it's not simply clickbait. And thanks to Slashdot editors, it worked.

    • by Akratist (1080775)

      This idea is so ridiculous, I can't imagine it's not simply clickbait. And thanks to Slashdot editors, it worked.

      Sadly, bad ideas have a way of becoming policy and law, especially when special interests and lobbyists get involved.

    • by swillden (191260)

      This idea is so ridiculous, I can't imagine it's not simply clickbait. And thanks to Slashdot editors, it worked.

      I don't think it's at all ridiculous. I don't see how to make it practical, but it's definitely not ridiculous.

  • by Anonymous Coward

    This sounds like an excellent way to completely kill off all small companies, only the big players like Microsoft and Oracle will be left, prices will skyrocket.
    People whould really think through what they are asking for, or is it that they have thought it through i.e. Is it actually the Microsofts of the world pushing for this?

    • by fche (36607)

      Regulations often benefit the entrenched regulated against the newcomer competitor.

  • This guy wants to force all companies to buy something this guy's company would indubitably directly financially benefit from.

    From their website:

    "Our unique team of world-class security analysts have led the IT research and testing communities in providing the right information IT decision-makers need to be secure. Let us help your business make better, informed security decisions."

    Way to create a market for yourself ! You go ! If you can't drum up business through providing value, head to Congress and f

  • by Anonymous Coward

    I recall an old story I heard in my early days of programming. A company offered a monthly bonus to its testers for each bug found in its code. Guess what happened? The testers made deals with the programmers for a cut of the action so the programmers created bugs and let the testers know where/what they were. Now, I guess we just have to scale this out a bit more and viola...here is the story on Slashdot! THANKS!

  • by Stolpskott (2422670) on Tuesday December 17, 2013 @09:38AM (#45713597)

    ...that kind of scale could work.
    For a bounty of $150,000 to be "less than two-tenths of 1% of those companies' annual revenue" (I am assuming that is each company's annual revenue calculation, not a global pool), that suggests the model is aimed at companies with >$75M annual revenue.
    Newsflash for the paper authors... there are not many software development companies in that ballpark. Granted, the smaller the company, (probably) the smaller the market for their software so the smaller the need for such a bug bounty.
    But if companies are going to be "compelled" to buy bug reports, that is going to require federal legislation which is not good at such fine-tuned work, especially after 150 groups of lobbyists have crafted their specific amendments to it, at which point companies will shift development efforts offshore, causing the federal legislation to be retargeted at company head-office location or companies whose software is used within the country, and a legal dance to get around the legislation begins, assuming software dev houses do not simply say their software cannot legally be used within USA.

  • by Fubari (196373) on Tuesday December 17, 2013 @09:38AM (#45713605)
    Mandatory bounties is the wrong way to go; it reminds me of this: http://dilbert.com/strips/comic/1995-11-13/ [dilbert.com]. An approach like TFA advocates would have an underground economy in bug fixes spring up and wouldn't solve real zero day. Instead...

    Allowing users to recover damages seems more suitable; a "zero day" class action suit or two would result in tremendous advances in best practices for security and qa (aspects of software development that, for some odd reason, just don't seem to get much funding today). By 'allowing' I mean changing software licensing so that verbiage like '...AS-IS WITHOUT RECOURSE TO RECOVER ANY LOSSES OR DAMAGES, DIRECT OR INDIRECT...' no longer holds.

    Which is a pretty huge change, and a number of interests would lobby against that. So I expect it will take a pretty severe incident (e.g. loss of life, or maybe a loss of significant money) to shock existing legislation and treaties (it would have to be global; hello WTO) sufficiently to encourage change. By "significant" I mean larger than the multi-billion dollar loss 'estimates of global damage from cybercrime' cited in TFA. That "cost" isn't nearly enough to change behavior, especially when you average it out across the world population.

    • by Anonymous Coward

      By 'allowing' I mean changing software licensing so that verbiage like '...AS-IS WITHOUT RECOURSE TO RECOVER ANY LOSSES OR DAMAGES, DIRECT OR INDIRECT...' no longer holds.

      It never should have. How is a customer supposed to determine whether a particular piece of software is "fit for purpose" if he's unable to examine the source? How can the buyers beware if they're not allowed to examine the merchandise?

      On the flip side, who pays the bounty on open source software? Well, there should be no need, anyone

  • For a large variety of reasons that have already been explained here, making this mandatory is an idiotic idea. What about making it part of a rating or validation though? Such things are generally voluntary except for safety critical applications.

  • Yeah that always works well. What is this, socialized medicine?

  • With one big practical issue, this idea seems fundamentally sound, from an economic perspective. Presumably the black market values the vulnerabilities according to their exploitation potential, which should be related to the value of the software. Currently that may not always be the case, but it should be, even in cases of cyber warfare where the attacker's interest is in doing damage, not stealing money.

    Consider, for example, a control system that is used to manage a large electrical power grid. Right

  • As an independent developer who is very security aware -- Unit tests + input fuzzing, zero memory access/free errors for release candidates, complete code coverage -- There are still bugs that can sneak in, especially when statically linking against libraries. I remember being bit by libpng -- code I did not write myself and could not hold to as high a standard. Do you charge every dev using libpng? Do I charge libpng devs? Does everyone charge libpng? How am I supposed to know who's fault it is if you

  • by wiredog (43288) on Tuesday December 17, 2013 @10:00AM (#45713895) Journal

    A ban on "free" or "open sourced" software that doesn't have a corporation behind it. And a legal requirement that software only be produced by licensed and bonded "software engineers".

    • Exactly what I was thinking. Say good bye to the hobby coder if something like this passes. You willing to risk hundreds of thousands in liability just to tinker around on your computer?

      • If this happened in the US, I would relocate to another country, which I'd rather not do.
        • by Obfuscant (592200)
          Headline: The Case For a Global, Compulsory Bug Bounty

          If this happened in the US, I would relocate to another country, which I'd rather not do.

          You'd have to move to another planet. "Global" kinda makes country boundaries irrelevant. Perhaps you could trade a few choice vulnerabilities you've found to the Chinese for a ride on one of their moon probes?

          • Not that I think this will happen at all, but if it did, I'd bet on some countries ignoring it and a tech boom occurring there.
  • Nonsense (Score:4, Insightful)

    by vinsci (537958) on Tuesday December 17, 2013 @10:09AM (#45714009) Journal
    That suggestion makes no sense at all, considering that governments are paying to insert seurity bugs either by ordering the companies to do so or by infiltration of the developer team.
    • This Stefan Frei guy is just another dishonest shill saying something colossally stupid in public to draw attention to himself and the products that his company is selling. Forcing anyone to buy something or pay a fine to anyone without prior restraint of free contract or due process in court of law is so antithetical to the very basis of western civilization that it ought to be summarily dismissed from further debate or discussion with prejudice.
  • Anytime coercion enters the picture, along come its sibling corruption in every sense of the word.

    If your scheme is not popular enough to stand on its own two legs -- if your arguments are not enough to win the day -- propping it up with compulsion is the only recourse left, and it reaps what it's worth.

  • NSA claims to have foiled a cataclysmic cyber threat (likely from China) to exploit a BIOS attack.

    First off, there are a number of bios manufacturers, not all will have the same bug. Second, there are numerous bugs still existent. And even when known it is extremely hard to get manufacturers to fix them.

    This sounds like the NSA found someone in China using an exploit in a BIOS to hack computers. Alerted the manufacturer who was probably already aware of the fact after numerous Linux users had reported it ye

    • by slew (2918)

      First off, there are a number of bios manufacturers...

      Maybe in number, but not marketshare where there are basically 2: AMI and Phoenix/Award. The market share of all others is a rounding error.

      Second, there are numerous bugs still existent.

      True, but see point #1

      This sounds like the NSA found someone in China using an exploit in a BIOS to hack computers. Alerted the manufacturer who was probably already aware of the fact after numerous Linux users had reported it years ago.

      Probably likely, but not a consequence of your first two points.

  • It might make sense if the "mandatory" part was limited to larger players in a given sector. e.g., over 20% market share or something. Certainly, vendors need more incentives to patch bugs, but I'm not sure this is the right way to go about it.

  • As a developer, I generally try to *remove* bugs from the software, but for a share of the $150,000, I'm sure I could let something slip through and then tell you where to find it. Dilbert nailed this 18 years ago: http://dilbert.com/strips/comic/1995-11-13/ [dilbert.com]
  • Imagine a world where you and I could get a bounty for finding building code violations. That could be a full-time occupation, and a lot of people would be going around finding frivolous technical violations just to get the money.

    Software isn't any different. There are lots of things that could be considered bugs, that shouldn't deserve a bug bounty. Who is the arbiter of what deserves a bounty and what doesn't?

    This is pure BS.

  • It's a stupid idea.

  • ... at Microsoft.

    1. They'll put the bugs in and tell me where to look.
    2. I'll report the bugs.
    3. We split the $150,000.
    4. ????
    5. Profit!

Parkinson's Law: Work expands to fill the time alloted it.

Working...