The recent demonstrations of hacks on everything that moves suggests that there is a vast market opportunity for those who can uncover exploitable security holes.
The criminally-minded may use these discovered vulnerabilities for a quick payday, offering the findings to the highest bidder on the black market.
Ethical researchers prefer to report the findings to the manufacturers for remediation and possibly a reward. This reward, known as a bug bounty, has become the topic of discussion, and even one serious study.
The question that comes to mind is, do bug bounties work?
The main challenge in the industry is that there is a dramatic lack of agreement about whether or not to reward those who discover these weaknesses.
In some cases, even the most “hacker-friendly” organizations have acted in an undecided manner about whom they chose to reward.
Some other firms want no part in bug bounty programs at all, evidenced dramatically by the recent public disclosure of vulnerabilities in OS X, where the security researcher declared he had no interest in informing Apple in advance.
And just this month there was the odd, now infamous statement by Oracle CSO Mary Anne Davidson that railed against customers looking for bugs in the company’s software. The bizarre post was quickly removed from Oracle’s blog (but retained for posterity in web archives).
Most corporations that offer bug bounties are clear about the stipulations for testing and reporting prior to offering the reward. This is where some researchers run afoul of the corporate and legal rules.
While the Computer Fraud and Abuse act may be broadly and incorrectly applied in some circumstances, a reward for reckless behavior in the name of bounty hunting would send the entire wrong message.
For example, encouraging someone to remotely control a plane filled with passengers would not be the best business decision for an airline.
Why do some researchers work within the framework of the bounty rules, and others choose a more cavalier approach? This is the question that makes one wonder if bug bounty programs are effective.
Fortunately, we may one day know the answer. Earlier this year, security industry analyst Keren Elazari pondered that thought on Paul’s Security Weekly webcast, and is now working towards conducting research into answering the question.
It will be interesting to see the results of Keren’s work. More importantly, if the bug bounty programs are working, it will be interesting to see if this has a positive effect towards maturing the security community. That may require another study.
What do you think? Do bug bounties work? Take our quick poll, and leave a comment below.