Moussouris: Bug bounty programs need to avoid jumping the shark
Bug bounty programs may seem to offer salvation at a bargain price for securing networks and systems, but Katie Moussouris offers tips for avoiding major pitfalls.
SAN FRANCISCO -- Combining a deep understanding of the economics, mechanics and politics of bug bounties with generous helpings of pop-culture references, longtime bug bounty proponent Katie Moussouris explained how an overreliance or lack of understanding can hamper the effectiveness of bug bounties. But there are ways to keep bug bounties and avoid some of the bigger pitfalls.
Despite spending billions of dollars over many years on efforts to secure systems of all kinds, the breaches keep coming. Moussouris, founder and CEO of Luta Security who helped Microsoft set up one of the first big bug bounty programs in 2013, warned that an overreliance on bug bounty programs can be unproductive, because many programs are structured in ways that pay bug hunters top dollar for "low-hanging-fruit" vulnerabilities.
"I like bug bounties, and I cannot lie," Moussouris said. "I am one of the biggest proponents of bug bounties," but she added that there are ways to use them wisely -- as well as "pitfalls and traps."
"We are in quite a bit of danger of jumping the shark with this concept if we're not careful, but we do have the ability to course-correct."
Jumping the shark -- what occurred in the TV show Happy Days when the writing staff ran out of ideas and had the popular character Fonzie waterski over a shark -- is a possibility for bug bounty programs, because they, like Happy Days, are very popular, but are endangered by their own success.
Bug bounty programs: Not quite perfect
For companies that walk into their first bug bounty program with high expectations, there may be some surprises, according to Moussouris. For starters, when a global bug bounty program begins, the company needs to understand there may be an elevation in what appears to be malicious activity. So, they need to find a way to differentiate the attacks that come from malicious actors from the activity of bug bounty hunters.
There is also the issue of how to deal with a sudden influx of bug reports. Simply doing triage on nonspam inbound email can be a massive task. Moussouris said Microsoft receives between 150,000 and 200,000 nonspam inbound email messages to the [email protected] account, and the job of sorting through it all --despite six-figure salaries with full benefits at Microsoft -- was described in 2007 as one of the worst jobs in science; it also had the highest turnover of any job in the Microsoft Security Response Center.
Perhaps the greatest danger for bug bounty programs may be that some pay premiums for pretty ordinary vulnerabilities. Moussouris said the majority of bug bounty bugs were due to cross-site scripting and breaches caused by the easy-to-spot vulnerabilities like XSS and unsecured AWS Simple Storage Service buckets.
How to stay away from perverse incentives
While bug bounty programs with six-figure bounties may get a lot of attention, they may tend to provide what Moussouris described as "perverse incentives" for developers, as well as bug bounty hunters: Many bug hunters are happy to report bugs in exchange for the public recognition, or even for something as simple as a challenge coin.
Developers may also be tempted, as shown in a 1995 "Dilbert" cartoon, to add -- or at least not fix -- bugs that they've put into the code themselves. And even if they aren't tempted by large prizes, developers still add bugs to their code in large part because security is not a part of most top computer science curricula in the U.S.
Action items for better bug bounty programs
When considering bug bounty programs, organizations should be willing to do the homework, which Moussouris suggested starts with auditing systems and software first to eliminate the easy-to-find bugs, followed by building a sustainable internal vulnerability-handling process that will help defenders learn from every bug found so entire classes of similar vulnerabilities can be eradicated.
Other, longer-term goals include building a balanced workforce by hiring and outsourcing appropriately. And, at all times, Moussouris urged defenders to be conscious of perverse incentives and remember to question anything that appears to be too good to be true.