Why bug bounties aren’t a cure for broken software

With Microsoft’s recent announcement of its grand bug bounty program, the company joined a host of major Web companies — including Google, Facebook, and Mozilla — to offer cash rewards to security bug finders.

Bug bounty programs always result in more vulnerabilities being privately reported to the vendor, which then has time to research and repair them. The theory is that the more security holes are found and closed, the lower the risk of security compromise to customers.

[ Learn how to secure your systems with the Web Browser Deep Dive PDF special report and Security Central newsletter, both from InfoWorld. ]

But do bug bounty programs really reduce risk to customers? Probably not as much as you might think. There are a couple of reasons why.

Eureka, look what I’ve found! First, bug bounty programs are no guarantee that discovered vulnerabilities, big or small, will be reported to the vendor. Big-time criminal groups or government cyber-attack teams are not about to report their bugs.

On the other hand, small-time, cash-driven criminals want the biggest payout possible. In this respect, Microsoft’s grand prize of $100,000 — far bigger than that offered by any other vendor — is incentive enough for low- and midlevel criminals to deliver their discovered bugs directly to Microsoft. It’s worth noting that all the vendors pay the largest awards to only a small percentage of bug finders, usually the ones reporting the riskiest and most easily exploitable bugs.

In the many reported vulnerability payment schemes I’ve seen during the last decade, $100,000 is often the price mentioned for top exploits. These fees are paid by a criminal element that will directly use the exploit or sell it to someone else — or it’s paid to the finder by a professional vulnerability collection company, which sells it to the vendor. Most low-level exploits are sold for a few hundred to a few thousand dollars.

Many privately found exploits are never reported to the software vendor all. Why? In many cases, the bug finder works for a larger organization as a salaried employee who has been hired to find many bugs. Those worth selling are sold; others lie fallow.

A different dynamic may persist when the hacker is independent. I know of many smart white-hat hackers who have been frustrated because they couldn’t make a decent living reporting bugs directly to the vendor. I’ve even read about a few who, in desperation, sold the bug to criminal elements. Most usually just disclose the bug publicly, which benefits no one in the short term.

Bug bonanza Nonetheless, bug bounty programs increase the number of people who report bugs — and that’s a good thing. The biggest problem with bug bounty programs is that you never know which security bugs will “go big.” Very few security bugs, no matter how severe, end up exploiting millions and millions of customers.

Software vendors would love nothing more than to pay the most money for bugs that, if not patched, would cause the most amount of pain for customers. But vendors and exploit finders have no way of knowing whether a particular bug will go nuclear. In my more than two decades of experience, I’ve become aware of a few bugs each year that I knew could go nuclear — but didn’t. Conversely, the bugs that do go big often aren’t all that new or interesting. Many have even had patches available for a long time.

You might think that patching a bigger number of security exploits would directly reduce security risks for customers. This is not true. For example, Microsoft software (I work for Microsoft) has had far lower numbers of known exploits than any of its nearest competitors — including Apple, Google, and Red Hat — for a long time now, but Microsoft software is still among the most exploited products. This is mostly due to the fact that it’s the most popular software.

There’s a patch for that More to the point, 99 percent of all successful client computer exploitations do not involve unpatched vulnerabilities. They involve vulnerabilities that are known and for which patches are available — just unapplied. Or they don’t involve a code vulnerability at all, such as socially engineered Trojans, phishing, and so on.

It could even be argued that a bug bounty program, because it results in a larger number of known exploits and patches, could actually result in more exploited customers, not fewer. I know this goes against conventional wisdom, but if you look at the methods by which most users are successfully exploited, I can’t come to any other conclusion.

If found vulnerabilities could be addressed with more consistent patching, then we might have something. Actually, Microsoft does fairly well in this area, as its software consistently ranks among the most promptly patched software in the cyber ecosystem. Google often patches its software in hours to days after a bug is reported. The problem is that a certain percentage of users don’t patch their software in a timely manner — and certain categories of software tend to be badly patched. Of course, if you don’t apply publicly available patches, you can’t really fault the vendor.

Plus, a large percentage of client exploits involve inducing users to install something they shouldn’t (such as fake antivirus programs or other bogus applications). Bug bounty programs don’t affect these sorts of attacks, and aren’t meant to.

The return on bug bounties In theory bug bounty programs should result in decreased risk for a vendor’s customers, but the ultimate measure of success is whether that vendor’s customers are actually attacked successfully less often over time. Realistically, this is almost impossible to isolate for.

Even customers of a company with a good bug bounty program may suffer at the hands of one new bug that was not submitted through the program — or one that customers failed to patch in a timely manner. One bug can cause a whole lot of problems. A vendor can report that it closed more security holes than ever and still have more of its customers hacked than ever in the same year.

Don’t get me wrong. I’m fairly excited about vendor bug bounty programs, especially because they give white hat hackers a way to earn money for their talents legally. But I’m still waiting for definitive results that say they actually result in fewer exploited customers.

This story, “Why bug bounties aren’t a cure for broken software,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.