SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story:
Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. In exchange for reporting a security flaw, the researcher receives payment (a bounty) as a thank you for doing the right thing. However, CSO's investigation shows that the bug bounty platforms have turned bug reporting and disclosure on its head, what multiple expert sources, including HackerOne's former chief policy officer, Katie Moussouris, call a "perversion."
Silence is the commodity the market appears to be demanding, and the bug bounty platforms have pivoted to sell what willing buyers want to pay for.
"Bug bounties are best when transparent and open. The more you try to close them down and place NDAs on them, the less effective they are, the more they become about marketing rather than security," Robert Graham of Errata Security tells CSO.
Leitschuh, the Zoom bug finder, agrees. "This is part of the problem with the bug bounty platforms as they are right now. They aren't holding companies to a 90-day disclosure deadline," he says. "A lot of these programs are structured on this idea of non-disclosure. What I end up feeling like is that they are trying to buy researcher silence."
(Score: 2) by maxwell demon on Tuesday April 07 2020, @10:19AM (11 children)
If person A discovers the bug and tells it to person B, then person B enters it to the bounty program and shares the bounty with person A, is person A bound to the NDA as well?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Immerman on Tuesday April 07 2020, @01:09PM (10 children)
I don't think there's any way for a contract (such as an NDA) to bind the actions of a third party that did not sign it.
They might put text in the bounty-claiming NDA/contract though that requires the discoverer to swear that they are the original discoverer, and that they haven't already told anyone else. So that no matter whether it's A or B that claims the bounty, if the payer catchers wind of the deceit they can charge the claimer with either fraud or breach of contract and presumably reclaim the bounty.
(Score: 3, Interesting) by Grishnakh on Tuesday April 07 2020, @01:33PM (6 children)
It sounds like what's needed is a general group for bug-bounty-seekers to join, and after a bug has been found, and after the bounty paid, and some time after that (180 days perhaps), the information on the bug is forwarded to another random bounty-seeker in the group, so they can then claim the bounty as well. This time lag should then be shortened each time it's forwarded to another seeker; eventually, the company is going to get tired of paying all these bounties for the exact same bug and fix it. And keeping the system so that it only forwards the info to seekers who don't know each other (this group would probably have hundreds to thousands of members) should create plausible deniability.
(Score: 2) by Immerman on Tuesday April 07 2020, @01:59PM (5 children)
I suppose that could work so long as the bug-finders don't mind committing fraud, and were actually in it to get the bug fixed, rather than for the money. But I suspect the freeloader problem would rapidly disenchant them. Especially since not only did they do all the work, they're taking the risk of having their bounty voided, and possible further legal action taken against them if the payer catches wind of their duplicity.
(Score: 2) by Grishnakh on Tuesday April 07 2020, @04:49PM (4 children)
My whole idea with it was: how exactly is the company going to know that they were sharing the bug information? If you set up a system so the people sharing the information don't know each other directly (other than all being subscribed to a system with thousands of users), how is the company going to prove fraud? For sharing an exploit, there really isn't very much information needed usually. It's a little bit like trying to copyright a header file.
(Score: 2) by maxwell demon on Tuesday April 07 2020, @05:06PM (3 children)
By joining the system themselves and waiting until a bug gets passed on to them. This is then evidence that the previous bug reporter passed the bug on, and allows them to prosecute him.
Have enough undercover joiners, and you'll have a good chance of getting several of them, and scaring the rest away.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Grishnakh on Tuesday April 07 2020, @06:18PM (2 children)
How do they know the previous bug reporter passed it on, instead of it being independently discovered?
(Score: 2) by maxwell demon on Tuesday April 07 2020, @07:41PM (1 child)
Because the receiver was the undercover agent, not the sender. If the previous bug reporter didn't pass it on, the undercover agent would not have gotten it.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Grishnakh on Wednesday April 08 2020, @02:21PM
Again, this doesn't prove that the first person to disclose to the company and receive the bounty is the same person passing it on. It's entirely possible for independent parties to discover the same vulnerability. All the discloser has to do is make sure his write-up on the bug-sharing system isn't written the same way (perhaps find a friend to rewrite it) and doesn't have any obvious details that make it unique.
(Score: 0) by Anonymous Coward on Tuesday April 07 2020, @11:23PM (2 children)
You can have contracts that do that. However, you have to meet very specific requirements to do so. The only situations where people normally run into those types of contracts are third-party beneficiary contracts (e.g. insurance contracts) and negotiable instruments (e.g. drafts).
(Score: 2) by Immerman on Wednesday April 08 2020, @01:46AM (1 child)
I don't believe those in any way bind the actions of the third part though. I can absolutely be the *beneficiary* of a contract between other people, and presumably even have certain obligations in order to claim that benefit. But I'm pretty certain a contract I didn't sign (or otherwise agree too - EULA's exist in a weird grey area of implied consent) can't legally obligate me to act (or not act) in any particular manner, it can only try to lure me into doing so.
(Score: 0) by Anonymous Coward on Thursday April 09 2020, @02:50AM
Sure they can. For example, I give you a N.I., which is a contract between myself and you that makes it such that a third-party, usually but not always a bank, has to pay you. Or I sign an agreement and use my house as collateral and then sell it, the buyer has to GTFO if the agreement is foreclosed on. Or I agree to mow my backyard weekly and not construct a fence in exchange for everyone else on my block agreeing to do the same so that way we can all use the common backyard area, which binds not only myself but everyone else who may own my property whether they know about the agreement or not. Or I duly delegate and assign a contract to another with proper notice, which binds the third parties to the respective contracts to act as though the agreements were originally between the two of them and cut me out.