Bug Bounties Aren't Silver Bullet for Better Security

Many organizations may find they're better off hiring pen testers and in-house security researchers directly than running bug bounty programs, according to new MIT research. From a report: The New Solutions for Cybersecurity paper features a surprising analysis of bug bounty programs in the chapter, Fixing a Hole: The Labor Market for Bugs. It studied 61 HackerOne bounty programs over 23 months -- including those run for Twitter, Coinbase, Square and other big names -- and one Facebook program over 45 months. It claimed that, contrary to industry hype, organizations running these programs don't benefit from a large pool of white hats probing their products. Instead, an elite few produce the biggest volume and highest quality of bug reports across multiple products, earning the biggest slice of available rewards. It's also claimed that even these elite "top 1%" ethical hackers can't make a decent wage by Western standards.

Sure not

[Chatterton]

But their are a bullet in the arsenal against bugs...

Re: Sure not

[illiac_1962]

"an elite few produce the biggest volume and highest quality of bug reports across multiple products," They do appear to be working quite well, so why the doo and gloom? It's not like it's some fruitless, wasteful fad.

How to fix bugs

[AHuxley]

Write good code by hiring on merit only.
Keep the inner core of skilled coders working hard on quality productive code.
Once low quality code is part of the company it is hard work to go back and try and find good workers.

Re:

[mwvdlee]

Kinda like how hospitals should only hire good doctors so nobody will ever die again.

Re:

[packrat0x]

Also reject programemrs who won't or cant comprehend other programmers code, and insist on their rewrite.

Well, that excludes most C++ programmers.

Just kidding.

Maybe...

Re:

[Daralantan]

Kinda like how hospitals should only hire good doctors so nobody will ever die again.

This just reminds me of how hospitals try to reduce their bad "deaths while in care of" numbers by just rushing out people that are terminal. Trying to get them to hospice, etc, instead. That way someone might day a day after the hospital but hey, they didn't die there so look how safe you are in this hospital!

Re: How to fix bugs

[jd]

Coders are useless without good specifications, good practices and good languages. Test driven design beats most other forms.

Not many workplaces know how to do that, let alone budget the time to.

Half agree. Good developers discover requirements

[raymorris]

> Coders are useless without good specifications, good practices and good languages.

Good practices make a world of difference. Peer review, for example, is huge.

Good specifications, or requirements, are critical. Just as good developers learn how to write particular functions, they learn methods of finding out exactly what the requirements are. So "the requirements weren't clear" isn't an excuse for a a software engineer to have done poorly, it's what they did poorly. There are good ways of getting the

Pareto principle

[alvinrod]

Sounds like another case of the Pareto principle where a small number of people (the elite few) find the majority of the quality bugs.

I don't know if these elite few are doing this full time, but I'd imagine that they aren't if they only make ~$35k. Most could easily get six figures doing security consulting work, and I would expect that a lot of them do and only do this as a hobby or for the added notoriety. I looked up the pwn2own contest and the main page reports one guy hauled in over $100,000 in the

Uh okay?

[bhcompy]

It's also claimed that even these elite "top 1%" ethical hackers can't make a decent wage by Western

Who said it's supposed to be a full time job? Bounties aren't jobs. They're rewards for ethical disclosure

Re:

[Anonymous Coward]

That's not realistic. You don't stumble upon security bugs. Finding these bugs requires targeted effort. Somebody has to pay for that effort. The black hats are motivated: they can profit by exploiting the bugs. Why would a white hat put in the effort if they don't get paid adequately?

Re:

[Errol backfiring]

If one really must see the entire world through capitalistic glasses, I think the real money is to be made by selling these holes to criminals and secret services. There's your market.

Re:

[AmiMoJo]

Ethical disclosure is most people's default behaviour. Bug bounties are a signal that the company is grateful and not about to sue the messenger.

Re: Uh okay?

[illiac_1962]

Because we are in an age where sjw jump at the chance to champion the cause of people who were lured in by easy money who are now butt hurt because they can't make thier bills sitting around all day. Uber drivers as employees spring to mind.

Well, this is awkward...

[Anonymous Coward]

I sure hope my boss doesn't read this article, since yesterday I held a long presentation for the whole board of directors entitled: "Bug Bounties -- the Silver Bullet for Better Security?" where my conclusion was a resounding "YES!"... They applauded. I got multiple pats on the shoulder. Everyone was happy. And now this.

It takes more than one bullet

[johnsie]

Like in any way, you would want to have as many bullets as possible at your disposal. However, you fight with the army you have, not the army you would like to have, so you need to fit everything within your budget.Having a dedicated pen tester is cool, but a lot of them just go through a set of tools or tests and then that's it. They dont necessarily know the best ways to exploit a particular system.

Re:It takes more than one bullet

[gweihir]

Indeed. Security is _hard_ and expensive. A level of security where most or all relevant attackers will just go elsewhere can be reached but it takes real effort. And it takes experience, KISS and using pen-tests, potentially bug-bounties (that are higher than what scum like the NSA feeding bug-traders offer), secure architecture and design, having security-aware coders, external security-reviews of architecture, design and implementation, etc.

Expect secure coding to be at the very least to be about 2x as the slap-dash insecure messes usually rolled out these days.

Re: It takes more than one bullet

[illiac_1962]

Yep. There comes a point where you have to know the business before you can start uncovering the really juicy exploits.

There is no silver bullet

[gweihir]

But clueless people keep looking for it. Always the same with those that mistake technology for religion that will solve all problems in magic ways.

How do you find those elites?

[booboo]

I worked in a very popular bug bounty for a short amount of time. It's about as pure a meritocracy as you can get. Young folks from all over the planet were working very hard to find bugs and some of them did very well for themselves. I would say it's clear that the bug bounty gave them the foothold and the financial backing to start a career in security.

Only the dumbest assholes on the planet think you can survive solely on a bug bounty. However, if you run it properly (which is exceedingly difficult)

Re: How do you find those elites?

[illiac_1962]

It doesn't have to be all pomp and circumstance. Bug bounties can simply work to get your in house developers to give a few shits about security.

There are no silver bullets for anything.

[140Mandak262Jamuna]

There are no silver bullets for anything.

Saying X is not a silver bullet for Y is a misleading rhetorical tactic. If X is better than !X for Y, then X is one of the solutions. That it is not a complete solution is irrelevant. If there is a Z that is better than X, then that is a valid argument.

X will not solve Y is typically used by vested interests against X not people who are genuinely interested in solving Y.

Re:

[bill_mcgonigle]

It's Clickbait for Nerds, dude.

False dichotomy

[Shaitan]

"Many organizations may find they're better off hiring pen testers and in-house security researchers directly than running bug bounty programs"

There is no reason you can't do both. Hell the ones you hire can even be eligible for the bounties as bonuses. It's a built in incentive program.

"Instead, an elite few produce the biggest volume and highest quality of bug reports across multiple products, earning the biggest slice of available rewards. It's also claimed that even these elite "top 1%" ethical hackers can't make a decent wage by Western standards."

Obviously the bounties are too low and/or the bugs aren't being acknowledged properly and paid out.

Stopped

[Anonymous Coward]

A lot of hackers stopped submitting to bug bounties, because of companies like Facebook never paying their bounties.

There was always an excuse as why they didn't have to pay. Eventually after submitting multiple bounties and not being paid, they just stop submitting.

Most probably stop looking for bugs, others start selling them on the black markets so they can at least get paid for their work.

Bug Bounties only work for as long as the companies keep their word.

Facebook is NOTORIOUS about not paying for them

Obviously

[nospam007]

Silver bullets work only against werewolves, bugs have to be squashed.

Undo mod

[godel_56]

Undo errant mod.

Report Author Conflict of Interest

[Littleman_TAMU]

Report co-author and CEO of Luta Security, Katie Moussouris [wikipedia.org], doubled down on the findings, claiming that independent researchers are “better off pen testing or living the good life of in-house research staff.”

Katie started the bug bounty program at Microsoft and now owns a company doing pen testing. Guess what the report recommends? I wonder what it would recommend if she were still heading up a bug bounty program? Maybe I'm overly cynical, but it appears the authors are trying to structure bug bounty programs to be more like they are, security consultants. If you're going to propose such a large change, why look at only one data set? Even the Hacker One CEO said their data set isn't representative of the whole