Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday April 07 2020, @07:29AM   Printer-friendly
from the shush-your-mouth dept.

Arthur T Knackerbracket has found the following story:

Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. In exchange for reporting a security flaw, the researcher receives payment (a bounty) as a thank you for doing the right thing. However, CSO's investigation shows that the bug bounty platforms have turned bug reporting and disclosure on its head, what multiple expert sources, including HackerOne's former chief policy officer, Katie Moussouris, call a "perversion."

Silence is the commodity the market appears to be demanding, and the bug bounty platforms have pivoted to sell what willing buyers want to pay for.

"Bug bounties are best when transparent and open. The more you try to close them down and place NDAs on them, the less effective they are, the more they become about marketing rather than security," Robert Graham of Errata Security tells CSO.

Leitschuh, the Zoom bug finder, agrees. "This is part of the problem with the bug bounty platforms as they are right now. They aren't holding companies to a 90-day disclosure deadline," he says. "A lot of these programs are structured on this idea of non-disclosure. What I end up feeling like is that they are trying to buy researcher silence."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by Grishnakh on Tuesday April 07 2020, @01:33PM (6 children)

    by Grishnakh (2831) on Tuesday April 07 2020, @01:33PM (#979954)

    It sounds like what's needed is a general group for bug-bounty-seekers to join, and after a bug has been found, and after the bounty paid, and some time after that (180 days perhaps), the information on the bug is forwarded to another random bounty-seeker in the group, so they can then claim the bounty as well. This time lag should then be shortened each time it's forwarded to another seeker; eventually, the company is going to get tired of paying all these bounties for the exact same bug and fix it. And keeping the system so that it only forwards the info to seekers who don't know each other (this group would probably have hundreds to thousands of members) should create plausible deniability.

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2) by Immerman on Tuesday April 07 2020, @01:59PM (5 children)

    by Immerman (3985) on Tuesday April 07 2020, @01:59PM (#979958)

    I suppose that could work so long as the bug-finders don't mind committing fraud, and were actually in it to get the bug fixed, rather than for the money. But I suspect the freeloader problem would rapidly disenchant them. Especially since not only did they do all the work, they're taking the risk of having their bounty voided, and possible further legal action taken against them if the payer catches wind of their duplicity.

    • (Score: 2) by Grishnakh on Tuesday April 07 2020, @04:49PM (4 children)

      by Grishnakh (2831) on Tuesday April 07 2020, @04:49PM (#980006)

      My whole idea with it was: how exactly is the company going to know that they were sharing the bug information? If you set up a system so the people sharing the information don't know each other directly (other than all being subscribed to a system with thousands of users), how is the company going to prove fraud? For sharing an exploit, there really isn't very much information needed usually. It's a little bit like trying to copyright a header file.

      • (Score: 2) by maxwell demon on Tuesday April 07 2020, @05:06PM (3 children)

        by maxwell demon (1608) on Tuesday April 07 2020, @05:06PM (#980012) Journal

        By joining the system themselves and waiting until a bug gets passed on to them. This is then evidence that the previous bug reporter passed the bug on, and allows them to prosecute him.

        Have enough undercover joiners, and you'll have a good chance of getting several of them, and scaring the rest away.

        --
        The Tao of math: The numbers you can count are not the real numbers.
        • (Score: 2) by Grishnakh on Tuesday April 07 2020, @06:18PM (2 children)

          by Grishnakh (2831) on Tuesday April 07 2020, @06:18PM (#980032)

          How do they know the previous bug reporter passed it on, instead of it being independently discovered?

          • (Score: 2) by maxwell demon on Tuesday April 07 2020, @07:41PM (1 child)

            by maxwell demon (1608) on Tuesday April 07 2020, @07:41PM (#980051) Journal

            Because the receiver was the undercover agent, not the sender. If the previous bug reporter didn't pass it on, the undercover agent would not have gotten it.

            --
            The Tao of math: The numbers you can count are not the real numbers.
            • (Score: 2) by Grishnakh on Wednesday April 08 2020, @02:21PM

              by Grishnakh (2831) on Wednesday April 08 2020, @02:21PM (#980254)

              Again, this doesn't prove that the first person to disclose to the company and receive the bounty is the same person passing it on. It's entirely possible for independent parties to discover the same vulnerability. All the discloser has to do is make sure his write-up on the bug-sharing system isn't written the same way (perhaps find a friend to rewrite it) and doesn't have any obvious details that make it unique.