FYI: We're now paying up to $20, 000 for web vulns in our services
Hey,
Hopefully this won't offend the moderators:
http://googleonlinesecurity.blogspot.com/2012/04/spurring-more-vulnerability-research.html
I suspect I know how the debate will be shaped - and I think I can
offer a personal insight. I helped shape our vulnerability reward
program from the start (November 2010), and I was surprised to see
that simply having an honest, no-nonsense, and highly responsive
process like this... well, it works for a surprisingly high number of
skilled researchers, even if you start with relatively modest rewards.
This puts an interesting spin on the conundrum of the black / gray
market vulnerability trade: you can't realistically outcompete all
buyers of weaponized exploits, but you can make the issue a lot less
relevant. By having several orders of magnitude more people reporting
bugs through a "white hat" channel, you are probably making
"underground" vulnerabilities a lot harder to find, and fairly
short-lived.
Cheers,
/mz
I'll keep my response short & simple...
This is an old debate, and one which never truly resolves because the contrary opinions tend to be so deeply rooted. I have no objection to anyone wanting to earn an honest living finding and reporting vulnerabilities, but somewhere along the line, some researchers seem to have taken the position following Google and similar offerings that all vendors owe them this living. They do not. Google has taken a brave (some would say irresponsible) position with this program, but this fact alone does not obligate other vendors to follow suit.
I don't think anyone will (successfully) argue the relative benefits of paying a white-hat a far smaller amount than the cost of responding to a public "gotchadata!", but as with many polar subjects, things are not always as simple as they may appear. There are (and will always be) legal entanglements for any company that would make such offers; especially where there is more at risk than just their code or services. It seems clear that the Goggle legal team has either had their impact on it or been told that they'll deal with things as they appear; we'll probably never know.
IMHO, anyone who willingly, knowingly places customer data at risk by inviting attacks on their production systems is playing a very dangerous game. There is no guarantee that a vuln discovered by a truly honest researcher couldn't become a weapon for the dishonest "researcher" through secondary discovery (GoodBob found it and while it was vulnerable, EvilBob exploited it). Granted; the dishonest researcher is already looking for weak spots, but I don't think we want them stumbling onto a hole before the vendor has had time to respond to it. The odds of such an event are probably very small, but hardly zero.
-----Original Message-----
From: Michal Zalewski [mailto:lcamtuf@coredump.cx]
Sent: Monday, April 23, 2012 12:06
To: full-disclosure; dailydave; bugtraq; websecurity@lists.webappsec.org
Subject: FYI: We're now paying up to $20,000 for web vulns in our services
Hey,
Hopefully this won't offend the moderators:
http://googleonlinesecurity.blogspot.com/2012/04/spurring-more-vulnerability-research.html
I suspect I know how the debate will be shaped - and I think I can offer a personal insight. I helped shape our vulnerability reward program from the start (November 2010), and I was surprised to see that simply having an honest, no-nonsense, and highly responsive process like this... well, it works for a surprisingly high number of skilled researchers, even if you start with relatively modest rewards.
This puts an interesting spin on the conundrum of the black / gray market vulnerability trade: you can't realistically outcompete all buyers of weaponized exploits, but you can make the issue a lot less relevant. By having several orders of magnitude more people reporting bugs through a "white hat" channel, you are probably making "underground" vulnerabilities a lot harder to find, and fairly short-lived.
Cheers,
/mz
IMHO, anyone who willingly, knowingly places customer data at risk by inviting attacks on their production systems is playing a very dangerous game. There is no guarantee that a vuln discovered by a truly honest researcher couldn't become a weapon for the dishonest "researcher" through secondary discovery
I'm not sure I follow. Are you saying that the dishonest researcher
will not try to find vulnerabilities if there is no reward program for
the honest ones?
/mz
On Tue, Apr 24, 2012 at 11:13 AM, Michal Zalewski lcamtuf@coredump.cx wrote:
IMHO, anyone who willingly, knowingly places customer data at risk by inviting attacks on their production systems is playing a very dangerous game. There is no guarantee that a vuln discovered by a truly honest researcher couldn't become a weapon for the dishonest "researcher" through secondary discovery
I'm not sure I follow. Are you saying that the dishonest researcher
will not try to find vulnerabilities if there is no reward program for
the honest ones?
/mz
I'm not sure what he means either, however I know that many
organizations treat security patches to the same lifecycle as
features,
which means sometimes upwards of a year of testing- thus giving a huge
window for secondary discovery; whereas a vuln exploited in-the-wild
generally has a much faster patch. Still I'm not sure how this fact is
relevant, if it is at all. Perhaps if the adversary sees the vuln in
unencrypted email
between researcher and organization and then uses it silently making
sure not to alert anyone? Not sure, but I digress.
I don't know who believes that they are "owed" anything in this
manner, and I agree with you, Jim, on that point.
However, my main complaint is that businesses should either not pay
anything at all (perhaps 1$ as a token of gratitude, some swag or some
such),
or at least make a real effort. Finding a code execution vuln in
google's whatever app-of-the-day is non-trivial task that requires
researchers
to learn a completely new landscape. I would expect Google, of all
"people", to pay 10x to 100x this amount for this sort of thing..
A you-only-get-it-when-successful 20,000$ budget from Google is
insulting, considering the perhaps massive time investment from the
researcher.
There is zero ability to make an argument that such businesses "can't
realistically outcompete all buyers of weaponized exploits" as Michal
has done [ :'( ].
The huge amount of damage that a badguy code executing on google
wallet would cost far more than 2M in damages, repair work, lost
business, and penalties;
and yet they only pay a nice researcher 20 grand? You can't even live
on that. Researchers aren't just kids with no responsibilities, they
have mortgages and families.
Increase the payouts and you not only get good guys doing good things
but you also get bad guys doing good things (even if for the wrong
reasons).
n.b. The fact that badguys take risk when doing their badguy
activities, including selling exploits, makes it even easier to
outcompete the buyers.
Still, this is a huge improvement on what it was if memory serves. A
million thanks to Michal !