Proposed: a Bounty for Bugs

Big Bucks for Big Bugs

  • alert
  • submit to reddit

Protecting against web application threats using SSL

Instead of paying hard cash to punish computer criminals, vendors should reward grey hat hackers for responsibly finding and reporting the security holes that make cyber attacks possible, argues SecurityFocus columnist Mark Rasch.

Microsoft recently announced a $500,000 bounty for the arrest and prosecution of those responsible for the SoBig and Slammer attacks. This is, in essence, offering to pay money to catch the guys who stole the horse after the barn door is left open. I have another idea: a bounty for security holes, paid to the grey hat hackers who find them.

I'll loosely define grey hat hackers as those who, on their own initiative and without any authorization, discover but do not exploit (well, maybe just a bit to validate the existence) new vulnerabilities in hardware, software, or configurations. If they do this with full knowledge and authorization of the affected company, they are white hats; if they criminally exploit the vulnerabilities, they are black hats.

There are a couple of model protocols for these bug finders to tell vendors about a vulnerability, and for vendors to respond appropriately. Security researcher Rain Forest Puppy wrote one, and the industry group the Organization for Internet Safety has proposed another set of rules for each party to this dance.

What is lacking is an effective mechanism for grey hat hackers to notify vendors, validate that such notice has been received, get credit (and sometimes compensation or remuneration) for the discovery, and verify that the vulnerability has been remediate.

My solution: an ISAC for grey hat hackers.

An ISAC, if you don't know, is an Information Sharing and Analysis Center. This is the mechanism officially promoted by the U.S. and other governments for securely and confidentially sharing vulnerability information within an industry: the IT industry has an ISAC; telecommunications companies have one of their own; banks have a "Financial Services" ISAC. The list goes on.

Of course, none of the ISACs include grey hat hackers on their board of directors, and the organizations decidedly do not serve as a forum for this community to advice organizations about vulnerabilities.

The Grey Hat ISAC would be a semi-confidential hacker board. Grey hats would transmit information -- as detailed as they like -- about any new vulnerability. They could do this either for attribution, anonymously (including using anonymizing technology), or under an established pseudonym.

The information would not be posted to the board, however. The posting would be assigned a tracking number that the bug-finder could follow. Thus, the grey hat would be able to track when the vendor or organization was notified of the vulnerability, and whether they acknowledged receipt. They could get a progress report periodically (weekly? every three days?), and there would be a mechanism for the vendor or organization to contact the grey hat for more information.

Thus, the vendor could post a message tied to the tracking number indicating that they need more information, and the general category of information they need. The operator or the site could help facilitate the communication between grey hat and vendor.

Big Bucks for Big Bugs

The vendor would then notify the grey hat of the results of its inquiry. If the vendor fails to respond adequately (and the rules about what qualified as an "adequate" response would have to be pre-determined), the grey hat would be free to post the information, either to the affected community confidentially, to the site's own board, or to other forums -- depending on the rules developed in establishing the board.

After a predefined time period -- anywhere from 10 days three weeks -- the vulnerability would be publicly disclosed, hopefully together with the vendor's response and a fix. The grey hat would get credit for the discovery.

The whole thing would be funded by the vendors, through cash rewards for serious bugs.

If the vulnerability creates a substantial risk to the vendor, or the product's users, the vendor would pay a bounty for the discovery, in addition to giving the finder proper credit. So, for example, the vendor could pay $6,000 for a vulnerabilitiy, with $1,000 to the operator of the board, and $5,000 to the grey hat's Pay Pal account.

Of course, if the bug-finder committed a crime in the discovery of the vulnerability (e.g., stole internal documents, broke into computers, etc.) he or she would be ineligible for the reward, and would be eligible for free room and board compliments of the Attorney General.

The Grey Hat ISAC would defuse the legal and ethical minefield that these hackers are walking today. Under current law, if they demand compensation in return for telling the vendor of a vulnerability (or for not telling others), they may be guilty of extortion. Moreover, the act of publicly revealing a vulnerability may itself lead to civil and criminal liability. From a moral and ethical standpoint, who appointed these guys as the protectors of the Internet? What right do they have to dictate my priorities in terms of fixing vulnerabilities? Why do I have to amass my security team at 3:00 a.m. on a Sunday because they decided to use that instant to tell the world exactly how to commit an illegal break-in into my network?

Vendors and online businesses are not blameless either. Too often, companies tell their shareholders, consumers, regulators, and business partners that they are secure, and then fail to act on information that would belie these conclusions. When grey hats do try to advise them of new vulnerabilities, these warnings go unheeded -- or at least it appears this way to the grey hats. Configuration problems persist for months or years, making the vendor or user more and more vulnerable to potentially devastating attacks.

There are lots of details that would have to be worked out. But why not have vendors pay the bounty to make themselves more secure, rather than opening their wallet once it's too late? And why not give the grey hats a mechanism to inform the vendors, and at least give them the chance to do the right thing? I think it's worth a shot.

Copyright ©

SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.