‘Pay-For-Bugs’ Approach By IT Security Vendors Sends Out The Wrong Message

Reports that Barracuda Networks is offering in excess of $3,000 for details of serious bugs in its IT security products is the latest stage in a worrying new trend.

Even though Barracuda is billing the bug bounty scheme as in the best interests of customer, there is a significant danger that it will attract developers into researching the vendor’s products and then offering them to the highest bidder.

And, of course, if the bug is a really serious one that cybercriminals can exploit to generate fraudulent revenue, there is a significant danger of the exploit information falling into the dark ecosystem that black hat hackers – as well as cybercriminals – now inhabit.

Whilst even organisations like Google and Mozilla offer juicy sums of money for bugs in their software, you are going to get other vendors following suit. But just because it is becoming the norm for the IT industry, does not make it in the long-term interests of our market sector.

The bug bounty schemes offered by a growing number of IT players has parallels in the ‘litigate for free’ industry that has sprung up on both side of the Atlantic’s legal industry over the last decade or so.

The law firms argue that their litigate-for-free service is really in the best interests of the consumer, but the problem is that a while new industry has been created, that has ended up pushing insurance premiums up for most businesses.

Someone, somewhere, has to pay for these types of services, and the same conclusions apply to the bug bounty programs offered by IT vendors. The irony of the situation is that as well as paying indirectly for the bug bounty schemes, end users of IT security systems, software and services also end up ‘paying’ as the tide of malware and other electronic mayhem rises as a result.

This is a cause and effect situation. No one really wins in the longer term from bug bounty programs. And that’s why we say that they are not in the real interests of our industry. In the short term they make a good story – and perhaps even a good event like CanSecWest’s Pwn2Own cracking contest in North America – but the bottom line is that it’s not in our industry’s best interests to offer such large sums of money. For that reason we give a definite thumbs down to such practices.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Anthony Haywood is the Chief technology Officer (C.T.O) for UK-based network security auditing and testing company, Idappcom. Anthony is guiding its future development of advanced network based security auditing and testing technologies as well as assisting organisations to achieve the highest levels of network threat detection and mitigation. The last decade has seen Anthony's network security auditing and testing solutions adopted by government, military, telecommunication, and financial organisations worldwide, including all of the industries network security hardware vendors.

  • Mr. Haywood, you logic seems extremely specious at best. How will offering bug bounties increase the risk of undisclosed vulnerabilities. These vendors are already being heavily targeted by blackhat Hackers looking for exploits. The offering of a bounty for responsible disclosure to the vendor does not in any way increase this risk. when added to an already existing SDL, it serves as a way to crowdsource additional security testing in the field. It is, in effect, a form of due diligence. The fact is, at worst, this new idea could only have little to no effect on exploitation and malware. It will more likely cause a decrease, as legitimate security researchers will have incentive to focus on these vendors and disclose the same vulnerabilities the malicious hackers find. This will allow vendors to issue patches to fix these issues in a more timely manner. Of course, since your company has been marketing security appliances as a replacement for penetration testing, it is not really a surprise that you would take such a stance. I have constructed a more detailed breakdown of your arguments in my post at
    http://cosine-security.blogspot.com/2010/12/dear-