The Case For a Global, Compulsory Bug Bounty 81
tsu doh nimh writes "Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products. This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their products. Stefan Frei, director of research at NSS Labs, suggests compelling companies to purchase all available vulnerabilities at above black-market prices, arguing that even if vendors were required to pay $150,000 per bug, it would still come to less than two-tenths of one percent of these companies' annual revenue (PDF). To ensure that submitted bugs get addressed and not hijacked by regional interests, Frei also proposes building multi-tiered, multi-region vulnerability submission centers that would validate bugs and work with the vendor and researchers. The questions is, would this result in a reduction in cybercrime overall, or would it simply hamper innovation? As one person quoted in the article points out, a majority of data breaches that cost companies tens of millions of dollars have far more to do with other factors unrelated to software flaws, such as social engineering, weak and stolen credentials, and sloppy server configurations."
Good idea... (Score:2)
Re: (Score:3)
Not all security bugs are equal. (Score:3)
The real problem is the assumption that all security glitches are equally bad.
Sure at Hack-a-thons we see impressive I can break into this computer in under 5 minutes, however this is often in a controlled environment. Where they can pick and choose what services that they want on, assume that a lot of people hook their PC's up to Raw internet. And a bunch of businesses do this too.
Now if there is a flaw on the World facing features such as a Web Browser or SSH client, yes that is serious. But if it is a
Re: (Score:2)
Good luck getting many of the software corporations to sign up for this...
You know what "compulsory" means? It means you get to jail/fine any software companies who don't sign up for it, so I don't think much luck will be needed.
Re: (Score:3)
And good luck getting a company to pay a fine. Or is this like the UACA where the government will reach into your bank account if you don't voluntarily hand over your money to private companies?
If you're trying to stifle companies and drive them out of business, or make them go elsewhere, this is a good way to do it.
But I guess living in your nanny state, that's the only way to get companies to produce better code.
Re: (Score:2)
And good luck getting a company to pay a fine.
Are you serious? Companies pay fines all the time -- even big companies. Being a big company can mean you get to buy laws and control fines (ideally, set them so they're effectively a wrist-slap for you, but a body-slam to some upstart competitor), but once a court decides against you (and you've exhausted appeals, if applicable), you pay the fine.
If you're trying to stifle companies and drive them out of business, or make them go elsewhere, this is a good way to do it.
Well... yeah.
But I guess living in your nanny state, that's the only way to get companies to produce better code.
"My" nanny state? Are you so deep in an us-or-them mind-state that you're unable to consider that someone who does not support it could possibly crit
Re:Good idea... (Score:5, Insightful)
What will happen is that companies will spawn off sub-contractors which do all the coding and are completely offshore entities.
For example, foocorp spawns off ABC Coders. ABC Coders just does business in one country, selling and maintaining its codebase to foocorp. Foocorp is just a customer, so if a government demands a bug bounty, they would have to go upstream to ABC Coders, and since ABC Coders does not do international business, they can give other nations the middle finger when it comes to their regulations.
Re: (Score:2)
What will happen is that companies will spawn off sub-contractors which do all the coding and are completely offshore entities.
For example, foocorp spawns off ABC Coders. ABC Coders just does business in one country, selling and maintaining its codebase to foocorp. Foocorp is just a customer, so if a government demands a bug bounty, they would have to go upstream to ABC Coders, and since ABC Coders does not do international business, they can give other nations the middle finger when it comes to their regulations.
If ABC is offshore, and sells to foocorp, then isn't that "international business" kind of by definition?
Re: (Score:2)
What will happen is that companies will spawn off sub-contractors which do all the coding and are completely offshore entities.
No, what will happen is that $BIG_COMPANY will bribe^Wlobby $GOVERNMENT to make sure that no such compulsory program ever exists.
Re:Good idea... (Score:4, Insightful)
So in other words, this is about killing off independent developers. Only companies who can afford $156,000 per bug will be able to distribute programs. Free software will, of course, die overnight.
So... Apple or Microsoft?
Silly (Score:5, Insightful)
This is silly. Allit would do it force black markey prices up and push smaller companies out of business. It would probably also raise insurance rates for software companies and the cost of software in general. Of course, it would laso probably push up the rates for competent software developers.
Re: (Score:2)
Re: (Score:2)
...Of course, it would laso probably push up the rates for competent software developers.
I think you just made a case for proceeding with the article's proposal. At least, you just sold me on that idea!
Re: (Score:2)
This is silly. Allit would do it force black markey prices up and push smaller companies out of business. It would probably also raise insurance rates for software companies and the cost of software in general. Of course, it would laso probably push up the rates for competent software developers.
I disagree, in part.
I do agree that it would increase insurance rates for software companies and increase the cost of software. But I don't think that's a bad thing. We have a serious problem today with the amount of shoddy software being pushed out and placed in critical positions where defects can result in huge losses. Software that is an attractive target for attack should cost more, because the maker should invest more into it, in the form of the appropriate security due diligence.
Re: (Score:2)
It would be nice to see software development treated like other skilled professions (engineering, medicine, etc) as long as the pay icreases with the responsibiity.
Re: (Score:2)
Agreed. It's worth noting that practically everything decent on the net started out too small to absorb even one such bug bounty.
Would the first www browser have even made it into the wild if it carried that liability? I doubt it. Even if it did, Apache probably wouldn't have gotten far enough to form a foundation around it.
Next up, who pays when the bug is at the protocol level (such as the pizza thief vulnerability in FTP)? The IETF? Surely we can't fairly charge a company that faithfully implemented the
Just a bad idea (Score:1)
That's absurd (Score:4, Insightful)
That is an absurd argument. Yes some companies can and should offer bug bounties but if the only method you can rely on is out bidding the black market, then you've already lost.
Not to mention, there are a lot of small companies, small foundations, and open source projects which could never afford such prices.
Re: (Score:3, Insightful)
Not to mention, there are a lot of small companies, small foundations, and open source projects which could never afford such prices.
Who pays when a bug is found in the Linux kernel?
Re: (Score:2)
The Linux kernel project shouldn't be used when speaking in general terms about open source projects.
The fact that there are many large companies investing in the Linux kernel project makes them different.
Re: (Score:2)
This is especially true given that the insane climb in zero-day prices in recent years has largely been driven by governments starting to buy them up as weapons. You cannot outbid entities that are able to both tax and print money, it's simply impossible. All that would do is result in the NSA spending more on zero days to ensure they still win, and bankrupt a lot of useful software companies.
Kill all startups (Score:4, Insightful)
I work for a startup. Not one of those few heavily-funded startups, but a regular startup with barely enough funding to scrape by in the first few years. Like most startups.
$150,000 is just ever so slightly more than two-tenths of one percent of my startup's annual revenue.
Asking an average startup to pay $150,000 for a security bug is like asking security researchers to work for $0.10 an hour.
Re: (Score:2, Insightful)
$150,000 is double the annual revenue of many smaller non american companies. (Think smaller companies with only two or three programmers - where a lot of the more useful/interesting software of the world comes from)
Forcing something like this would be a disaster.
Re: (Score:2)
Though to be honest, I actually could see such a system benefiting everyone if it was forced on the big companies. Their software tends to be so wide spread that bugs in their stuff doesn't just impact their direct customers but has a watershed effect on the whole industry. So I could kinda see if a 'if you are so big your screw ups cause everyone prob
Re: (Score:2)
If we could just make it mandatory for browser plug-in vendors (Adobe, Microsoft, I'm looking at you two), it would go a long way towards improving security.
Re: (Score:3)
I don't think this would be so problematic for startups. They'd just end up buying insurance, the same way they insure a lot of other things. And the insurance companies would not only spread the risk, but they'd also actively require companies to mitigate the risk, by doing the right kinds of security reviews. Further, they'd almost certainly end up pricing the premiums differently based on the degree of risk posed by the software. If a startup is building a product that, if exploited, could lead to billio
Re: (Score:3)
The only way the insurance would be reasonable would be if the bug bounty was not a fixed price. I.e. If I have
1000 customer's credit card numbers then the bug wouldn't be worth near as much as if I had 100000 customers.
But how do you do that with opensource software or does the company running it hold the responsibility?
Also, if we are basing it on the "street value" of the bug then it still becomes insane. So if I find a bug that could
cost microsoft $10M and the street value is 50 cents on the dollar t
Re: (Score:3)
The only way the insurance would be reasonable would be if the bug bounty was not a fixed price.
Yes, that's the idea. Bug bounties would be set by the value of the vulnerabilities on the black market, so the prices would vary depending on the nature of the bug and the target. I'm doubtful that such a market would work, but if you assume that part of it does, then insuring against it would work well.
That's probably worse than just waiting and letting it happen which is never going to be 100% and has at least some chance of recovering or mitigating the loss.
Yes, that's the nature of insurance. If the actuaries do their jobs right, insurance is always, in aggregate and in the long run, a losing proposition. If you can afford the potential hit, you should not
Re: (Score:2)
Yes, that's the nature of insurance. If the actuaries do their jobs right, insurance is always, in aggregate and in the long run, a losing proposition. If you can afford the potential hit, you should not buy insurance. But insurance makes a lot of sense in cases where the probability of catastrophic loss is relatively low but the impact is, well, catastrophic.
But we're really talking about 2 different things:
1) Insurance is actuaries calculating the probabilty of a loss payout, requiring you to fix know problems to lessen this risk but then just sitting back and waiting for a loss.
2) A bug bounty is requiring you to pay a percentage of the loss even if there has never been an actual loss.
The first presumably already exists in one form or another. I'm not sure the second is workable in the real world. The second would be like
making an insurance company pay ou
Re: (Score:2)
Re: (Score:2)
I think you're drawing an artificial distinction. Given a regulatory requirement to pay a bug bounty, there would be an actual loss to be covered.
Ok, to continue with my previous example then it would be like the government stepping in and telling everyone that if you
find your neighbor's door unlocked that you can report it and get a check from their neighbor worth half of their stuff.
This would obviously cause your neighbor to want to always lock their door and to also probably want to buy insurance to
protect themselve from accidently leaving their door unlocked. But doesn't this seem a little drastic and prone to abuse?
Doesn't your neighbor alread
Re: (Score:2)
I don't think that analogy is useful. If you leave your door open, you're the one that stands to lose, but if vulnerabilities exist the software company (generally) isn't the loser, which is why it makes sense to impose some method of bringing the societal costs to bear on the company. In economic terms, vulnerability costs are largely a negative externality, while security costs are internalized. That's a recipe for incenting people to ignore security, and the general solution is to internalize the externa
Re: (Score:2)
How is the price of this insurance going to be determined for a company that just came into existence? There's no track record that can be used to establish the relative risk for producing bugs.
Re: (Score:3)
How is the price of this insurance going to be determined for a company that just came into existence? There's no track record that can be used to establish the relative risk for producing bugs.
The nature of the software should provide a good basis for estimating potential damage (e.g. avionics control system vs twitterbot), and the tools and development processes used should provide a good basis for estimating risk of vulnerabilities. Indeed, much as I hate to admit it, the software industry could probably benefit from the level of rigor that insurance actuaries would apply, to both damage estimation and development methodology evaluation.
Re: (Score:3)
Yeah, heres an idea, create a company, get insurance, create bug riddled code, get someone else to turn them in and profit...
This makes about as much sense as having firefighters paid on accord.
Re: (Score:2)
Yeah, heres an idea, create a company, get insurance, create bug riddled code, get someone else to turn them in and profit...
Which is no different from "get an old building, buy fire insurance, have someone set it on fire and profit". Insurance fraud scams exist with every type of insurance in existence, and it doesn't prevent insurance from working.
Re: (Score:2)
Firefighters kinda are paid on accord. If there are few fires then budgets are slashed and people laid off.
---DO YOU WANT TO KNOW MORE?--- (Score:1)
Re: (Score:2)
Clickbait (Score:3)
This idea is so ridiculous, I can't imagine it's not simply clickbait. And thanks to Slashdot editors, it worked.
Re: (Score:2)
This idea is so ridiculous, I can't imagine it's not simply clickbait. And thanks to Slashdot editors, it worked.
Sadly, bad ideas have a way of becoming policy and law, especially when special interests and lobbyists get involved.
Re: (Score:2)
This idea is so ridiculous, I can't imagine it's not simply clickbait. And thanks to Slashdot editors, it worked.
I don't think it's at all ridiculous. I don't see how to make it practical, but it's definitely not ridiculous.
Great way to kill off small players (Score:1)
This sounds like an excellent way to completely kill off all small companies, only the big players like Microsoft and Oracle will be left, prices will skyrocket.
People whould really think through what they are asking for, or is it that they have thought it through i.e. Is it actually the Microsofts of the world pushing for this?
Re: (Score:3)
Regulations often benefit the entrenched regulated against the newcomer competitor.
Go fucking fuck your fucking self, fucking fuckup (Score:2)
This guy wants to force all companies to buy something this guy's company would indubitably directly financially benefit from.
From their website:
"Our unique team of world-class security analysts have led the IT research and testing communities in providing the right information IT decision-makers need to be secure. Let us help your business make better, informed security decisions."
Way to create a market for yourself ! You go ! If you can't drum up business through providing value, head to Congress and f
Everything old is new again! (Score:2, Interesting)
I recall an old story I heard in my early days of programming. A company offered a monthly bonus to its testers for each bug found in its code. Guess what happened? The testers made deals with the programmers for a cut of the action so the programmers created bugs and let the testers know where/what they were. Now, I guess we just have to scale this out a bit more and viola...here is the story on Slashdot! THANKS!
Targeted at larger companies... (Score:3)
...that kind of scale could work.
For a bounty of $150,000 to be "less than two-tenths of 1% of those companies' annual revenue" (I am assuming that is each company's annual revenue calculation, not a global pool), that suggests the model is aimed at companies with >$75M annual revenue.
Newsflash for the paper authors... there are not many software development companies in that ballpark. Granted, the smaller the company, (probably) the smaller the market for their software so the smaller the need for such a bug bounty.
But if companies are going to be "compelled" to buy bug reports, that is going to require federal legislation which is not good at such fine-tuned work, especially after 150 groups of lobbyists have crafted their specific amendments to it, at which point companies will shift development efforts offshore, causing the federal legislation to be retargeted at company head-office location or companies whose software is used within the country, and a legal dance to get around the legislation begins, assuming software dev houses do not simply say their software cannot legally be used within USA.
not bounties... (Score:3)
Allowing users to recover damages seems more suitable; a "zero day" class action suit or two would result in tremendous advances in best practices for security and qa (aspects of software development that, for some odd reason, just don't seem to get much funding today). By 'allowing' I mean changing software licensing so that verbiage like '...AS-IS WITHOUT RECOURSE TO RECOVER ANY LOSSES OR DAMAGES, DIRECT OR INDIRECT...' no longer holds.
Which is a pretty huge change, and a number of interests would lobby against that. So I expect it will take a pretty severe incident (e.g. loss of life, or maybe a loss of significant money) to shock existing legislation and treaties (it would have to be global; hello WTO) sufficiently to encourage change. By "significant" I mean larger than the multi-billion dollar loss 'estimates of global damage from cybercrime' cited in TFA. That "cost" isn't nearly enough to change behavior, especially when you average it out across the world population.
Re: (Score:1)
It never should have. How is a customer supposed to determine whether a particular piece of software is "fit for purpose" if he's unable to examine the source? How can the buyers beware if they're not allowed to examine the merchandise?
On the flip side, who pays the bounty on open source software? Well, there should be no need, anyone
How about a certification? (Score:2)
For a large variety of reasons that have already been explained here, making this mandatory is an idiotic idea. What about making it part of a rating or validation though? Such things are generally voluntary except for safety critical applications.
Compelling consumption? (Score:2)
Yeah that always works well. What is this, socialized medicine?
Could this work in practice? (Score:2)
With one big practical issue, this idea seems fundamentally sound, from an economic perspective. Presumably the black market values the vulnerabilities according to their exploitation potential, which should be related to the value of the software. Currently that may not always be the case, but it should be, even in cases of cyber warfare where the attacker's interest is in doing damage, not stealing money.
Consider, for example, a control system that is used to manage a large electrical power grid. Right
Let's litigate the little guy away. (Score:2)
As an independent developer who is very security aware -- Unit tests + input fuzzing, zero memory access/free errors for release candidates, complete code coverage -- There are still bugs that can sneak in, especially when statically linking against libraries. I remember being bit by libpng -- code I did not write myself and could not hold to as high a standard. Do you charge every dev using libpng? Do I charge libpng devs? Does everyone charge libpng? How am I supposed to know who's fault it is if you
In order for this to work we need 2 things (Score:3)
A ban on "free" or "open sourced" software that doesn't have a corporation behind it. And a legal requirement that software only be produced by licensed and bonded "software engineers".
Re: (Score:2)
Exactly what I was thinking. Say good bye to the hobby coder if something like this passes. You willing to risk hundreds of thousands in liability just to tinker around on your computer?
Re: (Score:2)
Re: (Score:2)
If this happened in the US, I would relocate to another country, which I'd rather not do.
You'd have to move to another planet. "Global" kinda makes country boundaries irrelevant. Perhaps you could trade a few choice vulnerabilities you've found to the Chinese for a ride on one of their moon probes?
Re: (Score:2)
Nonsense (Score:4, Insightful)
Re: (Score:2)
Compulsory? Bah (Score:2)
Anytime coercion enters the picture, along come its sibling corruption in every sense of the word.
If your scheme is not popular enough to stand on its own two legs -- if your arguments are not enough to win the day -- propping it up with compulsion is the only recourse left, and it reaps what it's worth.
I call BS (Score:2)
NSA claims to have foiled a cataclysmic cyber threat (likely from China) to exploit a BIOS attack.
First off, there are a number of bios manufacturers, not all will have the same bug. Second, there are numerous bugs still existent. And even when known it is extremely hard to get manufacturers to fix them.
This sounds like the NSA found someone in China using an exploit in a BIOS to hack computers. Alerted the manufacturer who was probably already aware of the fact after numerous Linux users had reported it ye
Re: (Score:2)
First off, there are a number of bios manufacturers...
Maybe in number, but not marketshare where there are basically 2: AMI and Phoenix/Award. The market share of all others is a rounding error.
Second, there are numerous bugs still existent.
True, but see point #1
This sounds like the NSA found someone in China using an exploit in a BIOS to hack computers. Alerted the manufacturer who was probably already aware of the fact after numerous Linux users had reported it years ago.
Probably likely, but not a consequence of your first two points.
Market dominance (Score:2)
It might make sense if the "mandatory" part was limited to larger players in a given sector. e.g., over 20% market share or something. Certainly, vendors need more incentives to patch bugs, but I'm not sure this is the right way to go about it.
It would just create a new black market (Score:1)
Bug bounty for building code violations (Score:2)
Imagine a world where you and I could get a bounty for finding building code violations. That could be a full-time occupation, and a lot of people would be going around finding frivolous technical violations just to get the money.
Software isn't any different. There are lots of things that could be considered bugs, that shouldn't deserve a bug bounty. Who is the arbiter of what deserves a bounty and what doesn't?
This is pure BS.
And here's the case against: (Score:2)
It's a stupid idea.
I know some coders .... (Score:2)
1. They'll put the bugs in and tell me where to look.
2. I'll report the bugs.
3. We split the $150,000.
4. ????
5. Profit!