To pay or not to pay...

Andrew Tang explores the contentious issue of paying bug bounties when software flaws are discovered.

Andrew Tang, service director of security, MTI Technology
Andrew Tang, service director of security, MTI Technology

The idea of paying a bug bounty to someone who discovers a software flaw may be touchy subject but it's also a nailed down reality.

Broadly speaking, there are those who say software vendors should do more to secure their software, while others point to the benefits of paying for the discovery of software vulnerabilities. Both have valid points.

Certainly, Microsoft, Google and Facebook think bug bounties are a good idea; they habitually make payments for discovered flaws.

By paying bug bounties, some software makers are essentially saying they can't guarantee the security of their products and commercially they can't afford to do so. The argument goes that if they dallied on extensive security testing their products would no longer be commercially viable, millions would be lost, companies would sink and thousands would be out of work.

Torture and imprisonment

The fact remains however that exploits can cause tremendous damage. A flaw in Adobe Flash led to the Italian Hacking Team selling it to, among others, repressive regimes with extremely poor human rights records.

Another vulnerability affected an Adobe font driver in Windows essentially allowed attackers to elevate their privileges on a machine to administrator level. In fact Adobe software has been so riddled with bugs at one point its future viability was in question after pundits and industry analysts essentially advised users to flee while they could.

A major vulnerability in software bundled with Samsung phones left as many as 600 million Samsung smartphone owners at risk of hacking while last year auto manufacturer Chrysler had to recall 1.4 million cars because of a flaw in its Uconnect dashboard computers. About the same time a software flaw in new Dell laptops left many users vulnerable to malicious hacking.

Falling on swords

Some vulnerabilities can lead to the loss of millions and millions of customer records from credit cards numbers to email addresses, passwords and more. The fall out can be horrendous therefore it's not surprising to see revenues plunge, CEOs fall on their swords and huge fines slapped on the business by regulatory authorities.

Given these occasionally dramatic consequences it makes more sense to pay a bug bounty, though some companies are at the moment averse to doing so.

Black budgets for software flaws

The practice is already well established in the industry and it can be big business. Among the many interesting facts that whistle blower Edward Snowden revealed was that the US National Security Agency spent more than $25 million (£17M) from its black budget in 2103 to acquire software vulnerabilities. While this is, in all likelihood, for spying on other governments, foreign banks and commercial operations have been hacked in the recent past with the finger pointing at the US.

Of course, software bugs are not the sole reason for major data breaches. More often than not serious cyber-hacks happen because of weak or stolen credentials, social engineering and poorly configured servers and Web applications.

That said, the impact of software bugs shouldn't be underplayed. Within this context and weighing the advantages against the disadvantages it makes absolute sense for bug bounties to be paid. It stops an organisation from being hacked in the first place and the cost doesn't compare to the damage and fallout when a successful cyber-attack takes place. However, clearly what is really needed is more secure software.

Making vendors honest

One approach is to actually ride the current bug bounty wave and implement a global bug bounty system, and one that is lucrative. Governments and global enterprises could get behind this and drive it forward. This might also encourage vendors to be more honest. The amount they currently pay for bug bounties is often minuscule compared to annual revenues.

A global bug bounty would ensure that that every release of commercial software products would come under scrutiny by an army of security experts. Initially it might hit the vendors hard but over the long term it would lead to much more secure software.

Contributed by Andrew Tang, service director of security, MTI Technology