Bug Bounties: Why Paying Hackers Makes You Safer

Would you pay a burglar to break into your own house? Most smart people would probably say no, but smart tech companies are increasingly saying yes. Companies like Google are offering serious rewards to hackers who can find ways to break into their software.

These companies frequently pay thousands of dollars for the discovery of a single bug–enough so that bug hunting can provide a significant income. And on a different, broader level, the hacker who finds the best way to protect Windows applications from being compromised is in line to take home a cool $200,000 from Microsoft in its BlueHat Prize competition.

The companies involved say that the bounty programs make their products safer. “We get more bug reports, which means we get more bug fixes, which means a better experience for our users,” says Adam Mein, a security program manager responsible for the Web Application division of Google’s Vulnerability Reward Program. “We also develop positive relationships with the researchers who are finding these bugs.”

But the programs aren’t without controversy. Some companies, notably Microsoft, believe that bounties should only be used to catch bad guys, not to encourage people to find holes. And then there’s the issue of double-dipping–the possibility that a hacker might collect a prize for finding a vulnerability, and then sell information on that same exploit to malicious buyers.

The Big Dance

The World Series of Poker for hackers is Pwn2Own, the annual hacking competition that occurs each year during the CanSecWest security conference.

“Our large cash bounties attract press coverage from major media outlets, raising awareness among consumers about security vulnerabilities,” says Pwn2Own Logistics Manager Aaron Portnoy. “That puts pressure on vendors like Apple and Google to address the security of their products.”

Anyone who successfully hacks a phone or Web browser at Pwn2Own takes home a $15,000 cash prize, as well as the device they used to perform the hack. Google sweetens the deal by rewarding security researchers who successfully hack a Google product with an additional $20,000 prize. All told, the competition has awarded more than $160,000 in cash prizes since it began in 2007.

But that’s chump change compared to the bounties that Google has posted on its own products. Since the program’s inception last November, the Google Vulnerability Reward Program has paid out nearly $500,000 to bug hunters who report security vulnerabilities in Chromium (the open-source basis for the Google Chrome browser) or for any of Google’s many Web apps.

That’s a hefty sum, but in return the company has squashed hundreds of bugs that otherwise might not have been discovered until malefactors took advantage of them to launch some type of intrusion. The folks at Google view the bounties as a worthwhile expense because they encourage security researchers to report software vulnerabilities to the developers instead of exploiting those vulnerabilities for private gain.

Google has already hired one bounty hunter as a full-time security researcher, and more hires may follow. Clearly, big bounties have a way of bringing out the best and brightest bug hunters–some so good that they could make a living identifying bugs. Scan the Chromium Security Hall of Fame, for instance, and you’ll see that researcher Sergey Glazunov has earned almost $20,000 this year as a bug hunter. And that’s just from Google. With the proliferation of big bounties being offered by vendors or security research groups like TippingPoint (recently acquired by HP) it’s now possible for talented researchers to earn a decent living as bug bounty hunters.

Zero Day Initiative

By giving security researchers positive recognition–and big cash rewards–for reporting security flaws, the Zero Day Initiative, a vulnerability purchasing program, hopes to make the Internet safer for everyone. Once the ZDI pays a bounty on a bug, it informs the vendor responsible for the vulnerability, free of charge.

“Every year we report hundreds of vulnerabilities to Microsoft and Adobe for free,” notes Aaron Portnoy, who manages the Zero Day Initiative in addition to his work with the Pwn2Own competition. “If the vendor doesn’t have a patch ready in six months, we release the details of the exploit publicly. We put pressure on vendors to fix these problems.”

But the ZDI isn’t entirely altruistic. It can afford to pay hefty bounties (up to $25,000) for bug reports because the organization monetizes the bugs via Digital Vaccine, a subscription-based malware filter service from HP (which also owns the ZDI). Digital Vaccine provides immediate protection from the exploits collected by the ZDI to those willing to pay for it, allowing ZDI to profit while rewarding security researchers.

What About Double-Dipping?

One obvious question is, how can Google and the ZDI ensure that a hacker who finds a vulnerability and claims a reward for it won’t also sell information on that exploit to bad guys? The answer is they can’t. But that may not matter as much as you’d think.

Every bounty program we investigated maintains an honor system that excludes researchers who double-dip. But in the long run, the bounty payers don’t worry too much about the possibility that bug bounty hunters may pass along known vulnerabilities to bad guys, because those vulnerabilities will become obsolete in the next patch. Ultimately ZDI make money by selling Digital Vaccine to subscribers who pay for the privilege of receiving near-immediate bug fixes for their favorite products and services, instead of waiting for the vendors to patch the uncovered vulnerabilities.

Target Hackers, Not Bugs

The philosophy of bug bounty programs boils down to this: Catching burglars is too hard, so instead let’s make sure the house is really secure. “Targeting hackers is increasingly difficult,” says Portnoy. “The Web is anonymous. Hackers can easily share exploits, so it’s a lot easier to just eliminate the exploits.”

Not every company agrees with that point of view, though. Microsoft maintains that cash bounties should be posted only to paint a tantalizing bull’s-eye on notorious hackers.

“The only ‘bounty’ programs offered by Microsoft are rewards for helping bring criminals to justice,” writes Jerry Bryant, a group manager of the Microsoft Trustworthy Computing Group, in an email to PCWorld. “These are quite different from ‘bug bounty’ programs, which we do not offer.”

Microsoft has posted multiple $250,000 bounties for information leading to the arrest of infamous hackers, including those responsible for the Rustock botnet, the Conficker virus, and the Sasser worm. The Sasser bounty led to the arrest of a teenager who allegedly wrote the worm (he was turned in by two friends). The other bounties haven’t yet led to arrests.

BlueHat Prize

At this year’s Black Hat Security Conference, Microsoft announced a different kind of bounty. This one doesn’t target bad guys or bugs. Instead, the BlueHat Prize is a $200,000 cash bounty for the most innovative prototype that prevents exploitation of memory safety vulnerabilities in Windows applications.

“When considering the BlueHat Prize, we wanted to look beyond standard ‘pay per vuln’ programs and address the really big issues impacting the security industry, and reward work on innovative solutions that can mitigate entire classes of attacks,” writes Microsoft’s Bryant. In other words, enterprising bounty hunters should go big or go home.