Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Paying security researchers risks breeding bad attitude, says UK bounty hunter

John E Dunn | Feb. 12, 2014
That direction is that a growing range of vendors now run programmes in which a global cottage industry of fulltime, freelance security researchers sell them vulnerabilities in return for money.

The booming rewards on offer to researchers hunting software security flaws risks breeding a culture of entitlement, according to one of the UK's most successful bug hunters of recent times, James Forshaw of pen-testing firm Context Information Security.

As the researcher awarded the first ever Microsoft $100,000 (£66,000) bounty 'jackpot' last October you'd expect Forshaw, 35, to stick up for the idea of handing over money for flaws, but during a conversation with Techworld his doubts about the direction of a burgeoning industry quickly surface.

That direction is that a growing range of vendors now run programmes in which a global cottage industry of fulltime, freelance security researchers sell them vulnerabilities in return for money.

Measured and thoughtful, Forshaw's anxiety is that the growing money on offer could breed a bad attitude in some quarters, the expectation of reward from any affected vendor.

"Your biggest problem is when people demand money," he says. "People will try to blackmail companies, they will stamp their feet."

The bounty industry started a decade ago in contentious circumstances when specialist firms such as TippingPoint (now owned by HP) and iDefense started shoving cash at the shadowy coders who'd twigged that software was full of valuable and dangerous vulnerabilities people would pay to know about first.

These days, software brands including Mozilla, Google, and Microsoft have reluctantly joined in this party, setting up programmes that offer rewards for responsible disclosure of flaws in their (and usually only their) software.

It's been apparent for years that professional criminals have been driving the market with reward programmes of their own which nobody paid much attention to until it turned out that some of these 'criminals' included nations states out to subvert one another.

Heads were banged together across the industry and the tide has now turned in favour of treating it like a market rather than a moral obligation. Vendors will never compete with criminals for rewards but at least they can drive up the price and perhaps keep some of the worst flaws - zero days - off the supermarket shelf.

Vendors have also realised that they can look foolish when researchers start publically discussing their programmes, or more often lack of them. Ask Yahoo, which last year turned out to be offering $12 t-shirts in return for serious flaw disclosure, almost worse than offering nothing at all. A few bad headlines later and Yahoo became the latest software house to set up a formal programme with rewards of up to $15,000 for top flaws.

"It's getting to the watershed moment. It [payment] is now seen as the rule rather than the exception," notes Forshaw. "The fact that vendors are putting up the money does legitimise the market."

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.