Tuesday, 20 July 2010

Calling All Bounty Hunters

Upping The Anti

Almost five years ago, on August 15th 2005, TippingPoint augmented its own research organisation DVLabs with the additional zero day research of a growing network of "extended researchers", through the launch of the Zero Day Initiative (ZDI). The main stated aims of the ZDI were to leverage "the methodologies, expertise, and time of others; encourage the reporting of zero day vulnerabilities responsibly to the affected vendors by financially rewarding researchers; [and] protect our customers through the TippingPoint Intrusion Prevention Systems (IPS) while the affected vendor is working on a patch."

This was a relatively novel approach at the time, although not entirely unheard of. Give or take a matter of some months, VeriSign's iDefense Vulnerability Contribution Program (VCP), an initiative that now "pays more for meaningful high-quality research than anyone", also dates back approximately that far. Their Contributor Portal allows researchers to submit vulnerabilities, then track progress as they are evaluated and processed, "simplifying the overall process and allowing faster response."

In more recent years, there has been a steady increase in the number of organisations buying vulnerabilities from researchers. While these initiatives have established a legitimate, public "market place" for bugs, there has also been a corresponding increase in pressure, from researchers in the field, upon vendors, to do the same thing: to offer bug bounties. In January of this year, for example, Google started a new program paying security researchers $500 for each security bug found either in the Google Chrome browser, or else in its open source code base, Chromium.

The Mozilla Bounty

The Mozilla Foundation, whose efforts in this direction originate an even more venerable six years ago - with the help of the start-up funding provided by Linspire and Mark Shuttleworth, in 2004 - has now announced, in its latest initiative to enlist more help finding bugs in its most popular software, an increase in the cash reward for reporting a valid, critical security bug. Your remote exploit will now bag you $3000 (and of course, one Mozilla T-shirt), a considerable hike from the original $500.

The new prize applies to original and previously unreported, critical or high severity remote exploit security bugs "present in the most recent supported, beta or release candidate version of Firefox, Thunderbird, Firefox Mobile, or in Mozilla services which could compromise users of those products."

Lucas Adamski, Mozilla's director of security engineering, wrote in a blog post, "A lot has changed in the 6 years since the Mozilla program was announced, and we believe that one of the best way to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information [...] We hope other organizations will match our program and actively support constructive security research."

Meanwhile, such calls are also increasing for other vendors, for example Microsoft, who have seen some recent tailing off in the number of exploit research reports being submitted to them gratis; to redouble efforts, the better to engage with the community of researchers. Calls like this one, from Kaspersky's Threat Post.

Update, July 20: Google just updated their vulnerability disclosure policy, while on the Chromium blog, simultaneously increasing their maximum reward for single critical bugs to "eleet", i.e., $3,133.7 - is that seven cents, or seventy? - celebrating, they say, "approximately six months" of the Chromium Security Reward program. So, nothing whatsoever to do with the Mozilla announcement, then.

Update, July 22: the tremors continue, now with Microsoft reluctantly shifting policy away from the private reporting of vulnerabilities, and towards a new model labelled Coordinated Vulnerability Disclosure. What's new about this model: public recognition that the release of details about a bug before a patch is ready (in cases when attacks are already happening) may sometimes be "necessary". There are also persistent rumours that MS may pay bug bounties at a future point; an option they've always publicly discounted, and today denied again.

No comments:

Post a Comment