Submitted via IRC for SoyCow3196
Relying on bug bounties 'not appropriate risk management': Katie Moussouris
If you expect a bug bounty to find and fix your organisation's hidden cybersecurity problems, you're wrong. To steal a line from the late John Clarke, you're a fool to yourself and a burden to others.
Bug bounties are certainly sexy. You'll look like you're engaging with the wider cybersecurity community, and you'll get great media coverage when a hacker strikes it rich.
There's also the belief that if your organisation doesn't pay to know about the bugs, then organised criminals and nation-states will.
But the reality? You may well be paying out big bucks to find generic, easy-to-find vulnerabilities, according to Katie Moussouris, founder and chief executive officer of Luta Security.
"Not all bugs are created equal," she told the Gartner Security and Risk Management Summit in Sydney on Monday.
The vast majority of bugs found via bug bounty programs are cross-site scripting [XSS] bugs, a known class of bugs that are easy to detect, and easy to fix.
"Why would organised crime or nation-states pay for simple classes of bugs that they can find themselves? They're not going to pay some random researcher to tell them about cross-site scripting bugs," Moussouris said.
"You should be finding those bugs easily yourselves too."
(Score: 0) by Anonymous Coward on Monday August 26 2019, @11:17AM (1 child)
... but some are less shallow than others.
(Score: 1, Insightful) by Anonymous Coward on Monday August 26 2019, @02:29PM
Some statements on security are quite shallow too.
(Score: 4, Insightful) by AndyTheAbsurd on Monday August 26 2019, @12:05PM (2 children)
Relying on a bug bounty program as the entirety of your security strategy is terrible risk management.
Using a bug bounty program as part of your risk management strategy can be a good idea - provided you already have other, better pieces of the strategy in place. Things like static analysis of your code and scanning for known vulnerabilities (which would catch a lot of the easy stuff, like XSS and SQL injection attacks), and probably a lot more I'm not thinking of because I'm not a cybersecurity guy.
Security isn't a destination, it's a program that you have to keep up with. Attacks and defenses evolve in line with each other, and modern attacks tend to be nets rather than spears; not updating your defenses is a surefire way to get caught in someone's net.
Please note my username before responding. You may have been trolled.
(Score: 3, Interesting) by bzipitidoo on Monday August 26 2019, @05:19PM
How many people on here have tried for a bug bounty? I've reported bugs on a lot of different projects, such as Firefox and the Linux kernel, but I have never gone for or received a bounty. It just never felt like a good idea. Among other things, like that I'm not much interested in the projects that offer bounties, the pay isn't enough to compensate for making myself into another target for organizational paranoia. Messengers get shot at a little too often to suit me.
Something else I wonder is how often does the organization cheat the bug hunters, come up with an excuse not to pay a bounty? Like almost happened, according to a story here just the other day?
(Score: 1, Insightful) by Anonymous Coward on Monday August 26 2019, @07:47PM
That's the whole point of the article. Big bounties don't fix security any more than keeping patched doors. But when used along with other measures it is effective.
The other issue is that the party for the bounties isn't necessarily competitive with exploiting or selling the details. So there's more interest on the criminal side
(Score: 0) by Anonymous Coward on Monday August 26 2019, @01:58PM (1 child)
They provide an incentive not to take the other bug bounty paid in stolen bitcoins.
(Score: 0) by Anonymous Coward on Monday August 26 2019, @03:27PM
They also get your name on a list of 'interesting people' who can be rounded up and disposed of once the police state is ready for the next step.
Do you really buy the whole "we're the good guys hoax" ?