Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Paying security researchers risks breeding bad attitude, says UK bounty hunter

John E Dunn | Feb. 12, 2014
That direction is that a growing range of vendors now run programmes in which a global cottage industry of fulltime, freelance security researchers sell them vulnerabilities in return for money.

As to introducing software liability Forshaw is sceptical, worrying that it would kill the risk-taking and innovation that is the point of software.

"If you start charging companies you start dis-incentivising them to produce new features."

The volume of flaws is a direct consequence of this innovation as much as the lack of formal software development lifecycles that build in security from scratch to stop vulnerabilities from occurring. That would be too complex and expensive for many firms that already rely on getting outside coders to turn around new software as rapidly as possible. Mistakes inevitably creep in and security gets a lower priority.

"Secure programming is a nice ideal," says Forshaw, sceptically.

What about more recent ideas such as setting up a global repository or programme for buying flaws across all vendors, not just those rich enough to hand out money to professional bounty hunters?

Again, because the supply of serious vulnerabilities is always large, "outbidding the bad guys would not necessarily make the world more secure." The expense would be huge and that's before considering the effect of states bidding for flaws for their own use, he says.

That is a tough one to answer. Even if the software industry collaborated, governments would need to be part of the programme the better to feed reported flaws via national CERTs. Yet, by the same token, the governments are happy to use a private stock of flaws in cyberwarfare when it suits them. Checkmate.

For the record, Forshaw's widely-publicised reward went not into his own bank account but to fund the research he is left alone to do as part of his day job working for ContextIS.

As Forshaw puts it of the bugs he's been paid for, "It keeps me ticking along doing the things I like doing but there is always a question of how research pays for itself. It keeps the accountants at bay."

As head of vulnerability research, his success highlights an issue that tends to get lost when the issue of bug bounties gets batted back and forth; even now vendors aren't that interested in paying their own staff to do this sort of job, despite the sometimes serious consequences when unpatched vulnerabilities are used in real-world attacks.

The fact that Context IS - a firm that makes its money offering a range of forensics services - allows him to spend time on something that doesn't always have much of a commercial pay-back remains an oddity in the UK. In Britain, flaw hunters do it for love or money but usually always alone.

"The 'no more free bugs' mantra has been used for a number of years, but perhaps we have finally reached that point. This might increase the future risk that if the bounty programs are scaled back it could irritate researchers sufficiently for them to go to full disclosure or to sell into less legal markets which is bad for the majority of the users of the Internet," mused Forshaw in an earlier, unpublished article.

"Where bounty programs go from here is unclear."

Today, if Forshaw is not the UK's only successful bounty hunter, he remains the only one to receive serious money from Microsoft in return for a piece of bad news.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.