Chris gates at Carnal0wnage wrote a thought provoking article today and raised couple of questions. This topic is something i definitely have been thinking for past couple of years. Here are my thoughts outlined with respect to various questions asked.
Before i answer these let this be very clear, the answers are my own and are not associated with any of my work or company i work for. The below answers are my own and are subjected to change if adequate reasons provided refer disclaimer here. Also the answers are from a point of view of someone who is a pentester, does public disclosures or bug hunting for opensource, did a stint in bug bounty also but i have had very little experience on the other side of bug bounty table i.e. receiving bugs found in my own applications or websites.
- Does a vulnerability I wasn’t asked to find have value?
It does have a value, many a times professionally and personally i have reported issues out of bound. It’s simple if it is not good and i have seen i have a moral responsibility to report. But is that value monetary in nature that’s something we need to look at separately.
- If someone outside your company reports an issue and you fix it, does that issue/report now have value/deserve to be paid for (bug bounty)?
Nope, If I didn’t made any social or public/personal commitment to pay up i am not obliged to pay. If i am not fixing it then i believe researcher going out in public, telling people about it is also a good idea as that gives me incentive to fix it. but even then i am not obliged to pay up. If we assume that paying up is the case it is then going to get on the murky waters of what’s the right amount for each issue. i might consider xss worth 1$ others like say GOOG or FB might give 3113$ or more. In short perspective matters.
3a. If #1 or #2 is Yes, when a business doesn’t have a Bug Bounty program, are they morally/ethically/peer pressure obligated to pay something? If they have a BB program I think most people agree yes. But what about when they don’t?
They should not be like i said above i didn’t committed for it, you did a good faith effort to help i fixed it done deal. until and unless the idea was to get money which i would personally term as extort money (may be by suggesting more bugs but no detailing, or saying i will disclose when you pay)
3b. Does the size of the business make a difference? If so, what level? mom and pop maybe not, VC funded startup? 30 billion dollar Hedge Fund?
I don’t think it makes any difference, if i am a mom and pop store i want security i opened bug bounty i committed to pay so i will pay. if i am a hedge fund company i don’t care about bug bounties, so i will not pay. when we want people to be selective about targets why companies can’t be clearly selective about money they spend.
- Is a “Thanks Bro!” enough or have we evolved as a society where basically everything deserves some sort of monetary reward. After being an observer for two BB programs….”f**k you pay me” seems to be the current attitude. If they did a public “Thanks Bro” does that make a difference/satisfy my ego?
Thanks buddy would be a good gesture. if we play for satisfying ego it doesn’t matters what you do someone will not be satisfied. on money refer below the questions.
5a. Is “making the Internet safer” enough of a reward?
I suppose yes. it should be if you started with that aim or no aim. if you started with i will make money everything has a price that you should be paid and you will be unhappy when it’s not paid.
5b. Does a company with an open S3 bucket make the Internet less safe? Does a company leaking client data make the Internet less safe? [I think Yes]
Less safe is a relative term on what’s being exposed. If S3 contains Static files only i don’t think it makes any difference. client data “yes” it’s not good for them not sure of the entire internet. does the data include plaintext or easily reversible passwords. does the data contains PII. again the answer would be much more nauanced then just yes or no here. depending on each scenario.
Does a company leaking their OWN data make the Internet less safe? [It’s good for their competitors]
Again relative to what’s exposed
If they get ransomeware’d or their EC2 infra shut down/turned off/deleted codespaces style am I somewhat (morally) responsible if I didn’t report it?
Nope, assuming you didn’t blaber about it at some random place which in turn gave rise to initial idea of ransomeware attack on them, you don’t have liability.
- Does ignoring a pretty signifiant issue for a company make me a “bad person”?
Nope, if you are an attacker or outsider. yes if you are a person responsible for that product.
7a. Am I a “bad person” if I want $$$ for reporting the issue?
Not necessarily. but more on that below.
7b. If yes, is that because I make $X and I’m being a greedy bastard? What if I made way less money?
Don’t matters refer above answer.
7c. Does ignoring/not reporting an issue because I probably wont get $$ make me a “bad person”? numbers 1-3 come into play here for sure
YES. more on that below.
So expanding on these points, i feel there is a central point that needs to be addressed. MONEY and information security. as i already clearly outlined here we need to define things a bit. something which seems too important for a company might not have enough merits for me to wonder about or i may not have the budget or willingness to consider a bug bounty, all possibilities should be considered valid options. We have seen a change in tide recently from 2015:HBR: Why Data Breaches Don’t Hurt Stock Prices to Stock Prices Average Significant Drops After a Breach and 2017: After a data breach is disclosed, stock prices fall an average of 5% but its still an ongoing process where security get the prime seat, no matter where we stand, security will never be a driving force. driving force would be a combination of good features + security or working & secure product. Security on its own is useless if product is not working at all.
Another recent trend that Bug bounties have bought is that people are joining this industry like any other industry for money. for them it’s a day job, it’s not passion it’s not something they want. Its just a means to an end, end being making money. Its something they need coz they want more money. when money is the driving factor everything is looked with money glasses:
- why should i find bugs when this site pays less.
- why should i find bugs in opensource they don’t pay.
- Why should i spend time in finding big bugs if i can find XSS in many sites and get away with it quickly and make more money with copy pastes.
Simply put money minded approach to security doesn’t work when it’s defense and will not work when it’s offense to improve security. When money is driving force people will focus on money and not of anyone else’s well being. right now bug bounties are driving this forward that money matters and only money matters. we offer bigger bounties test us that’s what biggies have gotten to. how can small shops (as bug bounty running firms) compete with that. I would personally prefer keeping money as a seperate object and focus on learning etc but the world doesn’t work according to me. so that’s that. So overall what i feel is we have somewhere down the line taken a wrong step in prioritizing money, or may be i might just be totally wrong and this could just be the change that was needed to drive security forward.
That brings in another question, should everyone have a public bug bounty. I would not suggest that, until and unless company has a robust internal team to handle bug bounties, have ensured all major stuff are sorted already it doesn’t makes any sense to have a bug bounty program and open your-self to a torturous journey. Bug bounty when managed in a proper manner will help but unmanaged and it will bring down your reputation very quickly.
I think i have written enough about this now. Feel free to comment and add your thought either here or on Twitter.