To quote the immortal wisdom of John Bender from the movie classic The Breakfast Club, “Screws fall out all the time, the world is an imperfect place.”
That same logic holds true when it comes to software. Vulnerabilities are discovered all the time, the world is an imperfect place. What matters is who discovers the vulnerabilities, and what they choose to do with that information. It’s important for software vendors to understand the motivations of security researchers so they can work more effectively and cooperatively to address and fix zero day vulnerabilities rather than becoming the victim of them.
HackerOne is in the business of helping organizations develop and implement bug bounty programs. The basic idea is to provide a financial reward incentive for researchers to report discovered vulnerabilities rather than selling them on the black market. It’s virtually impossible—or at the very least unsustainable—for legitimate businesses to outbid the black market over the long term, though, so the question is how to balance the financial incentives with the overall risk.
Katie Moussouris, a very well respected authority in vulnerability research and bug bounty initiatives and Chief Policy Office for HackerOne, teamed up with economic and policy researchers from MIT and Harvard to look beyond the vulnerability disclosure at the broader market dynamics that drive and motivate security researchers. The results of that effort were released yesterday, and Moussouris will be presenting a session at RSA next week titled “The Wolves of Vuln Street: The 1st Dynamic Systems Model of the 0Day Market”.
“Once a vulnerability is discovered, it can be used in a variety of ways,” explained Moussoris. “While it was common in the past, the number of independent security researchers disclosing bugs to companies without pay is waning, as more and more opportunities to monetize their skills become available.”
It isn’t all about money, though. Some security researchers disclose vulnerabilities to the vendor simply because it’s the right thing to do, or for the prestige. Many security researchers are likely to take a smaller payout from a bug bounty rather than a larger payout from the black market simply because there are fewer risks involved dealing with legitimate organizations than there are from taking money from the cybercrime underground.
The research from HackerOne examines the various levers or triggers that drive vulnerability disclosure and the zero day market. In the end the research determined that there are ways other than more lucrative payouts to tip the scales between offense and defense, and that bug bounties are an effective incentive to help find vulnerabilities faster—especially for less mature software.
Katie summed up with, “In the end, the tug of war between attackers and defenders will always exist. How we structure incentives toward making offense more expensive for attackers and giving more defenders and advantage is the question. There are more levers to tip the scales from one side to the other than just money, and defenders need to begin to use them.”
Take a look at the research on the HackerOne site. If you happen to be in San Francisco for RSA next week, you should try to attend Katie’s session. Get there early—it will probably be a packed house.