Today on the Bugcrowd blog we reposted CodingHorror’s blog post about Open Source Software and bug bounties.
Excerpt from the post:
Last week Jeff "@CodingHorror” Atwood, the co-founder of Stack Overflow and Discourse, posted a fantastic blog essay about bug bounties and open source software. His post, “Given Enough Money, All Bugs are Shallow” offers advice for how Bug Bounty programs can improve, calling for more incentives for researchers to collaborate on bigger bugs, vetting of bug reports for companies and organizations, a reputation system for researchers to help vet reporters, and Jeff suggests larger organizations should help fund bug bounties on the open source software that they use.
Hey Sam,
Thanks for the invite and asking to comment on open source software bounties! Jeff had some valid and invalid points. His most valid point is that money brings more security, but the point in his article about his product being 100 percent free is somewhat invalid. The moment you associate a free program to your name you can use it for credibility, to show people what you’ve made and why they can hire you, etc. So can you really call the product free? You aren’t being charged to use it, but the product isn’t entirely free, if the word free means there is nothing gained and nothing earned from the product. I am not picking on Jeff, he has done amazing work. I am trying to point out an invalid perception in the open source community about products that are “free”.
Everyone knows that one platform my company does research is WordPress code, because it so wide-spread. You wouldn’t believe how many bug reports we make for free and don’t write about them. Although, playing Devil’s advocate can you really say a security bug you reported is free if you write about it? If either your personal site or in this case our companies site gets more views it can then turn into more readers or even paid work, then something was gained or even earned from that “free” report.
One problem we have with free reports is if the company has a steady revenue and setup a bug bounty that offers no monetary compensation. When I say steady revenue, I mean millions of dollars in revenue every year. No company with that much money coming in should run a free bounty, yet so many do. The mentality that researchers work should be free when you are making millions of dollars off the software is just plain wrong. It shows how much companies value security reports. When we run into one of these situations, we will make a report telling the company where the vulnerability is, why it is vulnerable, what the type of exploit is, references to other work demonstrating that exploit or similar exploits. What we don’t do is spend the time making a working proof of concept unique to these companies software, because it takes up a lot of time and they have tons of money, but choose not to pay. Our work has value.
Most of these large companies that choose not to pay for security holes also are also infamous at not fixing security issues even when you make them a full working proof of concept for free and it is found valid by peers or even by bugcrowd. If we found the bug while working for a customer, then we send the bug to the company with a full proof of concept.
When it comes to kudo bounties, well, we do some of them even when the company makes enough money, but when the report is free and the company doesn’t respond for months or ever, then you don’t work with that company again. Although that is a conversation for a different thread.
@planetzuda Interesting points about the currency exchanged with bug reports, whether that is actual money currency, attention currency, etc. Some people favor one or the other, or a mix of the two, and bug bounties definitely have to keep those in mind when working with researchers.
I think Jeff makes some good points about Open Source Software, though I wonder where to draw the line with for-profit organizations that make open source software as their main product. As @Planetzuda mentions, working on a product like Wordpress (or Discourse for that matter) can be exciting because it so widespread, but it is also created and operated by a for-profit business. How do you decide how much work to do? I suppose each individual has to choose for themselves, deciding if they value the intrinsic rewards of helping improve software used by many users, rather than the extrinsic cash rewards that can come with paid bounty programs.
So that brings us back to Jeff’s point that Open Source Software needs paid bounties and that money can or should come from the organizations that use that software. I think that is a sensible conclusion and I hope that we see many large companies, several of which that are valued in the billions of dollars, contribute money and resources to security efforts that improve the software they use in their products or environment.
There are open source bounty programs coming in the near future. That isn’t speculation, rather actual knowledge of what’s going on. A big part of reporting bugs to for-profit companies that don’t offer money is how well they respond to bugs. If they’re notorious for not fixing bugs, then you obviously don’t want to spend your time making a full proof of concept. If it is a good company that fixes bugs, then we have no problem making a free report now and then.
The Drupal 8 bounty raises questions for all open source bounties. If a bug isn’t fixed and Drupal 8 is released, can we send the bug reports to all bounty programs using Drupal 8? If a site is already running the software, in this case Drupal 8 Beta are we allowed to submit it to all the bounties or if we submit it to the Drupal 8 bounty are we not allowed to submit it anywhere else? You can replace Drupal 8 with any other open source bounty that may come in the future.
The broken assumption is there are open source bug bounties. Which ones exist are far and few. If I had to align to the statement, then I would assume if there was something, it would be measurably better than nothing.
