SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story:
Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. In exchange for reporting a security flaw, the researcher receives payment (a bounty) as a thank you for doing the right thing. However, CSO's investigation shows that the bug bounty platforms have turned bug reporting and disclosure on its head, what multiple expert sources, including HackerOne's former chief policy officer, Katie Moussouris, call a "perversion."
Silence is the commodity the market appears to be demanding, and the bug bounty platforms have pivoted to sell what willing buyers want to pay for.
"Bug bounties are best when transparent and open. The more you try to close them down and place NDAs on them, the less effective they are, the more they become about marketing rather than security," Robert Graham of Errata Security tells CSO.
Leitschuh, the Zoom bug finder, agrees. "This is part of the problem with the bug bounty platforms as they are right now. They aren't holding companies to a 90-day disclosure deadline," he says. "A lot of these programs are structured on this idea of non-disclosure. What I end up feeling like is that they are trying to buy researcher silence."
(Score: 2) by Immerman on Tuesday April 07 2020, @01:59PM (5 children)
I suppose that could work so long as the bug-finders don't mind committing fraud, and were actually in it to get the bug fixed, rather than for the money. But I suspect the freeloader problem would rapidly disenchant them. Especially since not only did they do all the work, they're taking the risk of having their bounty voided, and possible further legal action taken against them if the payer catches wind of their duplicity.
(Score: 2) by Grishnakh on Tuesday April 07 2020, @04:49PM (4 children)
My whole idea with it was: how exactly is the company going to know that they were sharing the bug information? If you set up a system so the people sharing the information don't know each other directly (other than all being subscribed to a system with thousands of users), how is the company going to prove fraud? For sharing an exploit, there really isn't very much information needed usually. It's a little bit like trying to copyright a header file.
(Score: 2) by maxwell demon on Tuesday April 07 2020, @05:06PM (3 children)
By joining the system themselves and waiting until a bug gets passed on to them. This is then evidence that the previous bug reporter passed the bug on, and allows them to prosecute him.
Have enough undercover joiners, and you'll have a good chance of getting several of them, and scaring the rest away.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Grishnakh on Tuesday April 07 2020, @06:18PM (2 children)
How do they know the previous bug reporter passed it on, instead of it being independently discovered?
(Score: 2) by maxwell demon on Tuesday April 07 2020, @07:41PM (1 child)
Because the receiver was the undercover agent, not the sender. If the previous bug reporter didn't pass it on, the undercover agent would not have gotten it.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Grishnakh on Wednesday April 08 2020, @02:21PM
Again, this doesn't prove that the first person to disclose to the company and receive the bounty is the same person passing it on. It's entirely possible for independent parties to discover the same vulnerability. All the discloser has to do is make sure his write-up on the bug-sharing system isn't written the same way (perhaps find a friend to rewrite it) and doesn't have any obvious details that make it unique.