Monday, March 12, 2007

Website Bug Bounties. A good idea?

In web application security, the disclosure debate mostly revolves around the legalities of vulnerability “discovery”. This is because security researchers don’t have the same freedom to find vulnerabilities in custom web applications as they do in desktop software. However, if your running a large and popular website (or many of them), you probably know that there’s still a lot of white/gray/black hats are looking for vulnerabilities anyway, but we normally don’t invite them to do so. That’s probably why Microsoft Security Response Center (MSRC), the group responsible for handling issues in their issues, posted a cordial message inviting the sla.ckers.org community to submit vulnerabilities to them first before public disclosure. Wow!

What happened next was interesting. digi7al64 suggested a “reward system” would be nice incentive and gesture since the act of disclosing requires a certain amount of time and effort on behalf of the researcher. There might be something to this. If you consider the roughly 1,000 XSS issues already publicized on sla.ckers.org (including in Google, Yahoo, MySpace, Microsoft and so on), obviously there’s not shortage of issue. I’m going to hazard a guess that most of the people disclosing vulnerabilities probably do not work professionally in the web application security field and do this for fun in their spare time. If the reward was a simply crisp $100 bill, maybe a bug hunter t-shirt, or perhaps an XBox 360 for a particular high severity issue, I bet that’d make their day and everyone would be happy.

Now think about this… if given the option, how many of the organizations that have been outted would have gladly paid a voluntary reward for the disclosure and saved themselves the negative press? Probably a fair number would have participated. Also of course, if they choose not to participate, there’s nothing lost and things remain the same. Though if an organization budgeted say $10,000, which could help to eliminate a ton of XSS and SQL Injection issues. And at some point vulnerabilities would get much hard to find and system security would improve. Obviously a lot of details would have to be worked out to counteract any extortion or blackmail schemes. I’m not quite ready to begin recommending this approach, but I think it’s worth continuing a dialog over.

5 comments:

Drew Hintz said...

Inviting people to attack your production site might not be the best idea.

> paid a voluntary reward for the
> disclosure and saved themselves the
> negative press?

I wonder if the bounty hunters would also want the vuln officially acknowledged or publicized. I bet most vulns posted on sla.ckers.org don't result in what most people would call negative press -- perhaps with the exception of the largest sites.

Rick (kingthorin) said...

"Inviting people to attack your production site might not be the best idea."

It's happening all the time, invited or not. Personally I think the majority of site owners/operators would rather know if people are getting anywhere with their white/gray/black hat efforts then blindly assume I'm safe and they're not getting anywhere.

Jeremiah Grossman said...

Hey Drew,

"Inviting people to attack your production site might not be the best idea."

Normally I'd agree, but on the more popular sites, like thorin said, their getting pen-tested 24x7 anyway. Their just not seeing the results.

"I wonder if the bounty hunters would also want the vuln officially acknowledged or publicized. I bet most vulns posted on sla.ckers.org don't result in what most people would call negative press --"

Probably only a fractional few, but its hard to know which issues are going to make press ahead of time. $100 to limit that risk may not be a bad deal.

"perhaps with the exception of the largest sites."

I think thats precisely where a reward system might make sense.

Anonymous said...

I think just a simple "Notify us if you find a bug" link could go a long way to alleviate some of these issues. Too many companies take these discoveries as personal attacks. It says a lot about Microsofts direction to provide more secure applications to their users. I'm not sure how you could safely implement a "pay per bug" program, without inviting some for of extortion into the mix though.

Jeremiah Grossman said...

Anonymous, I think your right. Even a special email address would indeed help out a lot.

"I'm not sure how you could safely implement a "pay per bug" program, without inviting some for of extortion into the mix though."

That could be. I guess we'll have to wait for someone to try it out and see. Hasn't Mozilla or some other software vendors done bounty programs in the past. I wonder how those turned out.