被“白帽黑客”吐槽,漏洞赏金被质疑是“作秀”
2月,三位麻省理工大学网络安全研究员称,他们发现在线投票应用Voatz存在重大安全漏洞。Voatz提供了“漏洞赏金”,这笔奖金用于奖励任何发现并报告其软件安全漏洞的人士。Voatz希望借此鼓励独立“白帽黑客”来巩固其服务的安全性。(注:白帽黑客指用自己的黑客技术来维护网络关系公平正义的网络安全研究人员,通过测试网络和系统的性能来判定它们能够承受入侵的强弱程度。)
但麻省理工大学团队迅速发现,奖金的设置本身就存在漏洞。Voatz的漏洞赏金条款由Voatz制定,由漏洞报告平台HackerOne管理。该条款称,安全研究人员不能测试Voatz应用自身,而是必须使用应用的副本,但据称该副本无法正常运行。麻省理工大学团队成员迈克·斯佩克特称,该条款会威胁到研究的有效性。此外,该奖金还不适用于报告某种类型的攻击,安全研究人员称这项限制并未反映真实世界的状况。
尽管漏洞赏金在近些年来已成为公司网络安全工具包中越发流行的一个组件,但其构建和管理方式为安全研究人员带来了一系列问题。评论人士称,这些项目,尤其是通过HackerOne与Bugcrowd这样中间平台运营的项目,通常会限制安全研究人员的研究范围及分享成果的能力。他们称,这些缺陷最终可能让重要软件更容易受到“黑帽黑客”,即恶意黑客的袭击。
HackerOne前任高管凯蒂·毛苏利斯曾帮助微软创建了一个赏金项目,并在公共场合呼吁关注上述问题。在2月RSA安全会议的主旨演讲中,持有HackerOne大量股票的毛苏利斯表示,以其当前的形式来看,很多漏洞赏金项目都是肤浅的“安全作秀”,这意味着它们的主要目的是帮助美化公司形象,而不是让软件变得更安全。
漏洞赏金服务提供商的领导者并不赞同这一看法,在赏金项目方面设限,至少是暂时性的限制,是为了实现一个更宏大的目标:安全研究人员的理想信念是追求完全的透明,但处于资源和声誉危机中的公司有自己的苦衷,两者之间需要找到一个平衡点。
HackerOne首席技术官亚里克斯·莱斯说:“漏洞赏金项目在发现漏洞方面异常成功。让公司与[外部]安全研究人员合作是最为重要的一步。”
“封口费”
有关Voatz漏洞赏金的争议并非是个例。在近期涉及PayPal、流媒体平台奈飞、无人机制造商大疆和视频会议软件Zoom的安全漏洞中,通过赏金项目报告漏洞的安全研究人员发现自己陷入了程序性或合约迷局,其中的一些简直就是卡夫卡风格的再现。
特别值得一提的是,限制研究人员的保密条款通常来自于由HackerOne和 Bugcrowd运营的奖金项目。为了向一些公共奖金项目提交报告,研究人员必须同意限制公开讨论其发现的协议。评论人士称,通过限制公众了解可能的安全漏洞,保密条款会让单个公司受益,但却限制了网络安全更全面的进步。
评论人士指出,当安全性能研究员根据合约进行“渗透测试”时,保密条款是合理的。但如果将其用于公共报告,这些条款似乎破坏了一条广为认可的实践准则,也就是网络安全研究人员所称的“漏洞协同披露”准则。
协同披露理念的核心在于时限。如果某个漏洞得到了报告,但没有在合理的时间框架内(通常30-90天)被修复,那么黑客公开披露这一漏洞的行为通常被认为是道德的。这一准则源于上个世纪90年代,当时,独立安全研究员发现一些公司甚至不愿承认他们所报出的危险漏洞。公开发布漏洞将促使各大企业迅速修复其漏洞。
在漏洞得到修复后,对漏洞的公开讨论有助于编程人员修复或预防其他领域的类似漏洞。正如网络安全分析师凯伦•伊拉扎利所说的那样,这种公开对话有助于让白帽黑客成为“互联网免疫系统”。安全公司Veracode对网络安全专业人士的近期调查显示,90%的受调对象认为公开披露漏洞是一项可以改善整体网络安全的“公益事业”。
Veracode首席技术官、协同披露的先驱克里斯•威索帕尔担心,漏洞赏金的出现正在影响安全研究员之间的知识共享。近期发生的案例便成为了这一担忧的真实写照。
例如,当约翰逊•雷斯楚去年发现视频会议软件Zoom的一个严重漏洞时,他想到了协同披露准则。最终,雷斯楚并未选择Zoom通过Bugcrowd提供的漏洞赏金,因为保密条款会禁止他讨论其发现。他说,这个漏洞能够得以修复的唯一原因在于,他最终能够公开发布这个漏洞。
雷斯楚表示:“[Zoom]的第一反应是,这并不是一个漏洞。在媒体对其施加压力24小时之后,他们承认,好吧,这是一个漏洞。”雷斯楚如今认为,漏洞赏金中的保密条款相当于“研究人员的封口费”。Zoom拒绝对此事置评。
Bugcrowd联合创始人兼首席技术官凯西•埃利斯称,他的公司鼓励其客户放宽其披露条款,并敦促其客户尽可能地减少限制。HackerOne的莱斯说,他对很多案例的披露表示支持,但现有的披露标准可能并非是它们所标榜的那么完美。他承认,在Zoom案例中,“披露有着明显的益处”,但他还表示,公众和媒体通常对披露存在误解。
莱斯向《财富》透露:“我无法确定公开发布一系列未经验证的安全漏洞能为用户带来什么好处。”
保密游戏
即便某个漏洞属于“超出范围之外”的漏洞(也就是一般来讲不被看作是威胁,因此无需修复),漏洞赏金项目中的保密条款通常似乎依然有效。但什么才算是“有效”的漏洞这个根本问题则涉及毛苏利斯最痛恨的一个现象。
例如,PayPal和 Netflix近期漏洞被评估漏洞赏金申报的员工判定为“超出范围之外”。但赏金项目的条款(PayPal通过HackerOne发布,奈飞则通过Bugcrowd发布)均限制研究人员公开讨论他们发现的漏洞。
发现的这两个漏洞最终在未经许可的情况下公之于众。尽管莱斯称HackerOne允许研究人员通过索取许可来发布这类漏洞,但报告PayPal漏洞的研究人员并未获得披露许可。
在奈飞的漏洞案例中,一位Bugcrowd员工警告研究人员违反了平台的条款,因为研究人员在这些漏洞被判定为没有资格获得赏金后,于推特上发布了漏洞消息。Bugcrowd在一份声明中表示,“重要的一点在于,只有在研究人员与客户的项目所有者进行讨论,并就披露时限达成一致意见之后,才能进行披露。”在研究人员违反披露限制的案例中,Bugcrowd会与“研究人员沟通,从公共论坛中删除这一信息,来保护研究人员和客户。”
然而,Voatz案例则生动地展现了根植于众多漏洞赏金项目的不透明性所带来的风险。由于Voatz被视为一个重要的选举软件,麻省理工大学团队最终通过美国政府的网络安全和基础设施安全局通报了自己的发现,而不是通过HackerOne。
Voatz并不赞同该团队的发现,并控诉研究人员的行为属于背信弃义。Voatz首席执行官尼米特•苏尼认为,麻省理工大学研究人员的动机在于“制作丑闻”,是一个“有组织的运动”的一部分,后者的“主要目的是阻止所有互联网投票活动。”斯佩克特则赞同其团队向媒体披露这一事件的行为,“因为在向公众清晰、准确地传播信息方面,媒体往往是最合适的机构。”
3月初,西弗吉尼亚州发现,麻省理工大学研究人员的主张有足够的依据,因此州政府决定在5月的大选中使用另一个系统。在3月13日,一家独立研究团体发表了第二篇报告,证实了麻省理工大学团队的诸多主张,并发现了新的问题。Cyberscoop称,该报告提到了通过Voatz的HackerOne赏金项目提交的重大漏洞,但被该选举应用划分为非重大漏洞。
然后在3月30日周一,HackerOne宣布把Voatz踢出平台,这是公司第一次采取这一激进举措。此举明显是针对Voatz对麻省理工大学研究人员响应的回应,包括一些后续调整,以取消禁止黑客测试其应用的法律保护伞。
Voatz首席执行官苏尼将HackerOne的举措定性为“共同决定”,但这家对漏洞进行悬赏的公司拒绝接受这一定性。“我们一直在孜孜不倦地培养安全团队与研究人员团体之间互利互惠的关系。[Voat赏金项目]最终并没有遵守我们的合作,而且对于任何一方来说都没有什么成效。”
所有这一切颇具讽刺意味,如果麻省理工大学团队并未绕过HackerOne的保密条款,也没有将其发现报告给联邦政府,那么Voatz应用的漏洞可能永远都无法为人所知。
“每一次都乱得要命”
HackerOne和Bugcrowd都会从推销赏金项目中获得收益,同时还能减少客户的麻烦。HackerOne自2012年成立以来已经筹集1.1亿美元的风投资本,其服务的赏金项目客户包括任天堂、星巴克和Slack。提供类似服务的Bugcrowd则筹集了略高于5000万美元的资金,其客户包括Fitbit,惠普和摩托罗拉。
但安全资深人士担心,在大行其道的赏金项目之前,更为有效的软件安全改善途径会变得黯淡无光。
大卫•欧腾海默曾在MongoDB和EMC公司担任安全高管职务,如今负责戴尔的安全业务。他认为赏金项目对于严重的网络安全来说没有必要,而且他称自己在公司没有经营赏金项目的情况下一直从独立研究人员那里获得高质量的漏洞报告。欧腾海默说:“要启用最好的研究人员确实需要花钱,但他们的主要目的都是为了让这个世界变得更加美好。”
Veracode开展的一项调查证实了这一观点。在反馈的机构中,有47%称自己设立了赏金项目,但平均来看,仅有19%的漏洞通报来自于这些项目。同时,在通报过漏洞的受调对象中,有57%称自己希望能够就报告与对方沟通,仅有18%希望对方付钱。
发现Voatz漏洞的麻省理工大学研究人员对这一观点表示赞同。斯佩克特说:“我们感兴趣的是,他们会对我们找到的漏洞作何反应。我们对钱完全不感兴趣。”
Veracode的威索帕尔认为,赏金项目平台所传达的信息为人们带来了困惑。他说:“他们崇尚的[理念]在于,在巩固软件安全性方面,众包是最好、最高效的方式。但如果你算一算经济账,像谷歌和Facebook这样的公司会将赏金项目看作是一种补充、后备或锦上添花的举措。”
他说:“关键在于,让那些训练有素的开发员获得打造安全软件的正确工具。”
莱斯认为,HackerOne的使命就是宣传赏金项目的益处,哪怕在透明度和披露这类原则性问题上做出些许让步也无关紧要。
莱斯说:“对于一个机构和一个传播团队来说,[披露]工作量有多大,这一点我不能去夸大。每一次都乱得要命……有的客户签署了公众监察协议,也有客户不愿签。”
但欧腾海默称,这正是问题的结症所在:各大公司希望赏金项目得到好评,但对项目本应具有的透明度视而不见。他说,“这是选择性的失明。”
欧腾海默指出,赏金项目未能发现漏洞,但该漏洞却直接成了新闻头条,这可谓网络安全史上最严重的灾难。他说:“他们让雅虎在预算中增加了200万美元的赏金,但[当年晚些时候]有30亿客户的数据遭到了泄露。”
“新闻称,‘看看他们的作用,花了200万美元’,但对安全性一点帮助都没有。”(财富中文网)
译者:Feb
2月,三位麻省理工大学网络安全研究员称,他们发现在线投票应用Voatz存在重大安全漏洞。Voatz提供了“漏洞赏金”,这笔奖金用于奖励任何发现并报告其软件安全漏洞的人士。Voatz希望借此鼓励独立“白帽黑客”来巩固其服务的安全性。(注:白帽黑客指用自己的黑客技术来维护网络关系公平正义的网络安全研究人员,通过测试网络和系统的性能来判定它们能够承受入侵的强弱程度。)
但麻省理工大学团队迅速发现,奖金的设置本身就存在漏洞。Voatz的漏洞赏金条款由Voatz制定,由漏洞报告平台HackerOne管理。该条款称,安全研究人员不能测试Voatz应用自身,而是必须使用应用的副本,但据称该副本无法正常运行。麻省理工大学团队成员迈克·斯佩克特称,该条款会威胁到研究的有效性。此外,该奖金还不适用于报告某种类型的攻击,安全研究人员称这项限制并未反映真实世界的状况。
尽管漏洞赏金在近些年来已成为公司网络安全工具包中越发流行的一个组件,但其构建和管理方式为安全研究人员带来了一系列问题。评论人士称,这些项目,尤其是通过HackerOne与Bugcrowd这样中间平台运营的项目,通常会限制安全研究人员的研究范围及分享成果的能力。他们称,这些缺陷最终可能让重要软件更容易受到“黑帽黑客”,即恶意黑客的袭击。
HackerOne前任高管凯蒂·毛苏利斯曾帮助微软创建了一个赏金项目,并在公共场合呼吁关注上述问题。在2月RSA安全会议的主旨演讲中,持有HackerOne大量股票的毛苏利斯表示,以其当前的形式来看,很多漏洞赏金项目都是肤浅的“安全作秀”,这意味着它们的主要目的是帮助美化公司形象,而不是让软件变得更安全。
漏洞赏金服务提供商的领导者并不赞同这一看法,在赏金项目方面设限,至少是暂时性的限制,是为了实现一个更宏大的目标:安全研究人员的理想信念是追求完全的透明,但处于资源和声誉危机中的公司有自己的苦衷,两者之间需要找到一个平衡点。
HackerOne首席技术官亚里克斯·莱斯说:“漏洞赏金项目在发现漏洞方面异常成功。让公司与[外部]安全研究人员合作是最为重要的一步。”
“封口费”
有关Voatz漏洞赏金的争议并非是个例。在近期涉及PayPal、流媒体平台奈飞、无人机制造商大疆和视频会议软件Zoom的安全漏洞中,通过赏金项目报告漏洞的安全研究人员发现自己陷入了程序性或合约迷局,其中的一些简直就是卡夫卡风格的再现。
特别值得一提的是,限制研究人员的保密条款通常来自于由HackerOne和 Bugcrowd运营的奖金项目。为了向一些公共奖金项目提交报告,研究人员必须同意限制公开讨论其发现的协议。评论人士称,通过限制公众了解可能的安全漏洞,保密条款会让单个公司受益,但却限制了网络安全更全面的进步。
评论人士指出,当安全性能研究员根据合约进行“渗透测试”时,保密条款是合理的。但如果将其用于公共报告,这些条款似乎破坏了一条广为认可的实践准则,也就是网络安全研究人员所称的“漏洞协同披露”准则。
协同披露理念的核心在于时限。如果某个漏洞得到了报告,但没有在合理的时间框架内(通常30-90天)被修复,那么黑客公开披露这一漏洞的行为通常被认为是道德的。这一准则源于上个世纪90年代,当时,独立安全研究员发现一些公司甚至不愿承认他们所报出的危险漏洞。公开发布漏洞将促使各大企业迅速修复其漏洞。
在漏洞得到修复后,对漏洞的公开讨论有助于编程人员修复或预防其他领域的类似漏洞。正如网络安全分析师凯伦•伊拉扎利所说的那样,这种公开对话有助于让白帽黑客成为“互联网免疫系统”。安全公司Veracode对网络安全专业人士的近期调查显示,90%的受调对象认为公开披露漏洞是一项可以改善整体网络安全的“公益事业”。
Veracode首席技术官、协同披露的先驱克里斯•威索帕尔担心,漏洞赏金的出现正在影响安全研究员之间的知识共享。近期发生的案例便成为了这一担忧的真实写照。
例如,当约翰逊•雷斯楚去年发现视频会议软件Zoom的一个严重漏洞时,他想到了协同披露准则。最终,雷斯楚并未选择Zoom通过Bugcrowd提供的漏洞赏金,因为保密条款会禁止他讨论其发现。他说,这个漏洞能够得以修复的唯一原因在于,他最终能够公开发布这个漏洞。
雷斯楚表示:“[Zoom]的第一反应是,这并不是一个漏洞。在媒体对其施加压力24小时之后,他们承认,好吧,这是一个漏洞。”雷斯楚如今认为,漏洞赏金中的保密条款相当于“研究人员的封口费”。Zoom拒绝对此事置评。
Bugcrowd联合创始人兼首席技术官凯西•埃利斯称,他的公司鼓励其客户放宽其披露条款,并敦促其客户尽可能地减少限制。HackerOne的莱斯说,他对很多案例的披露表示支持,但现有的披露标准可能并非是它们所标榜的那么完美。他承认,在Zoom案例中,“披露有着明显的益处”,但他还表示,公众和媒体通常对披露存在误解。
莱斯向《财富》透露:“我无法确定公开发布一系列未经验证的安全漏洞能为用户带来什么好处。”
保密游戏
即便某个漏洞属于“超出范围之外”的漏洞(也就是一般来讲不被看作是威胁,因此无需修复),漏洞赏金项目中的保密条款通常似乎依然有效。但什么才算是“有效”的漏洞这个根本问题则涉及毛苏利斯最痛恨的一个现象。
例如,PayPal和 Netflix近期漏洞被评估漏洞赏金申报的员工判定为“超出范围之外”。但赏金项目的条款(PayPal通过HackerOne发布,奈飞则通过Bugcrowd发布)均限制研究人员公开讨论他们发现的漏洞。
发现的这两个漏洞最终在未经许可的情况下公之于众。尽管莱斯称HackerOne允许研究人员通过索取许可来发布这类漏洞,但报告PayPal漏洞的研究人员并未获得披露许可。
在奈飞的漏洞案例中,一位Bugcrowd员工警告研究人员违反了平台的条款,因为研究人员在这些漏洞被判定为没有资格获得赏金后,于推特上发布了漏洞消息。Bugcrowd在一份声明中表示,“重要的一点在于,只有在研究人员与客户的项目所有者进行讨论,并就披露时限达成一致意见之后,才能进行披露。”在研究人员违反披露限制的案例中,Bugcrowd会与“研究人员沟通,从公共论坛中删除这一信息,来保护研究人员和客户。”
然而,Voatz案例则生动地展现了根植于众多漏洞赏金项目的不透明性所带来的风险。由于Voatz被视为一个重要的选举软件,麻省理工大学团队最终通过美国政府的网络安全和基础设施安全局通报了自己的发现,而不是通过HackerOne。
Voatz并不赞同该团队的发现,并控诉研究人员的行为属于背信弃义。Voatz首席执行官尼米特•苏尼认为,麻省理工大学研究人员的动机在于“制作丑闻”,是一个“有组织的运动”的一部分,后者的“主要目的是阻止所有互联网投票活动。”斯佩克特则赞同其团队向媒体披露这一事件的行为,“因为在向公众清晰、准确地传播信息方面,媒体往往是最合适的机构。”
3月初,西弗吉尼亚州发现,麻省理工大学研究人员的主张有足够的依据,因此州政府决定在5月的大选中使用另一个系统。在3月13日,一家独立研究团体发表了第二篇报告,证实了麻省理工大学团队的诸多主张,并发现了新的问题。Cyberscoop称,该报告提到了通过Voatz的HackerOne赏金项目提交的重大漏洞,但被该选举应用划分为非重大漏洞。
然后在3月30日周一,HackerOne宣布把Voatz踢出平台,这是公司第一次采取这一激进举措。此举明显是针对Voatz对麻省理工大学研究人员响应的回应,包括一些后续调整,以取消禁止黑客测试其应用的法律保护伞。
Voatz首席执行官苏尼将HackerOne的举措定性为“共同决定”,但这家对漏洞进行悬赏的公司拒绝接受这一定性。“我们一直在孜孜不倦地培养安全团队与研究人员团体之间互利互惠的关系。[Voat赏金项目]最终并没有遵守我们的合作,而且对于任何一方来说都没有什么成效。”
所有这一切颇具讽刺意味,如果麻省理工大学团队并未绕过HackerOne的保密条款,也没有将其发现报告给联邦政府,那么Voatz应用的漏洞可能永远都无法为人所知。
“每一次都乱得要命”
HackerOne和Bugcrowd都会从推销赏金项目中获得收益,同时还能减少客户的麻烦。HackerOne自2012年成立以来已经筹集1.1亿美元的风投资本,其服务的赏金项目客户包括任天堂、星巴克和Slack。提供类似服务的Bugcrowd则筹集了略高于5000万美元的资金,其客户包括Fitbit,惠普和摩托罗拉。
但安全资深人士担心,在大行其道的赏金项目之前,更为有效的软件安全改善途径会变得黯淡无光。
大卫•欧腾海默曾在MongoDB和EMC公司担任安全高管职务,如今负责戴尔的安全业务。他认为赏金项目对于严重的网络安全来说没有必要,而且他称自己在公司没有经营赏金项目的情况下一直从独立研究人员那里获得高质量的漏洞报告。欧腾海默说:“要启用最好的研究人员确实需要花钱,但他们的主要目的都是为了让这个世界变得更加美好。”
Veracode开展的一项调查证实了这一观点。在反馈的机构中,有47%称自己设立了赏金项目,但平均来看,仅有19%的漏洞通报来自于这些项目。同时,在通报过漏洞的受调对象中,有57%称自己希望能够就报告与对方沟通,仅有18%希望对方付钱。
发现Voatz漏洞的麻省理工大学研究人员对这一观点表示赞同。斯佩克特说:“我们感兴趣的是,他们会对我们找到的漏洞作何反应。我们对钱完全不感兴趣。”
Veracode的威索帕尔认为,赏金项目平台所传达的信息为人们带来了困惑。他说:“他们崇尚的[理念]在于,在巩固软件安全性方面,众包是最好、最高效的方式。但如果你算一算经济账,像谷歌和Facebook这样的公司会将赏金项目看作是一种补充、后备或锦上添花的举措。”
他说:“关键在于,让那些训练有素的开发员获得打造安全软件的正确工具。”
莱斯认为,HackerOne的使命就是宣传赏金项目的益处,哪怕在透明度和披露这类原则性问题上做出些许让步也无关紧要。
莱斯说:“对于一个机构和一个传播团队来说,[披露]工作量有多大,这一点我不能去夸大。每一次都乱得要命……有的客户签署了公众监察协议,也有客户不愿签。”
但欧腾海默称,这正是问题的结症所在:各大公司希望赏金项目得到好评,但对项目本应具有的透明度视而不见。他说,“这是选择性的失明。”
欧腾海默指出,赏金项目未能发现漏洞,但该漏洞却直接成了新闻头条,这可谓网络安全史上最严重的灾难。他说:“他们让雅虎在预算中增加了200万美元的赏金,但[当年晚些时候]有30亿客户的数据遭到了泄露。”
“新闻称,‘看看他们的作用,花了200万美元’,但对安全性一点帮助都没有。”(财富中文网)
译者:Feb
In February, three MIT cybersecurity researchers reported that they had found major security flaws in the online voting application Voatz. Offering what’s known as a “bug bounty”—a payment for anyone who discovers and reports a security hole in software—Voatz sought to encourage independent “white hat” hackers to shore up the security of its service.
But the MIT team quickly found the reward was an even bigger problem than the bug. The terms of the Voatz bug bounty, set by the company and administered through the bug reporting platform HackerOne, said researchers couldn’t test Voatz’s app itself. Instead they’d have to use a copy of the app, which the researchers said didn’t work properly. According to MIT team member Michael Specter, that would have been a threat to the validity of the research. The bounty also didn’t allow for reporting of certain kinds of attacks, a restriction the researchers argued didn’t reflect real-world conditions.
While bug bounties have become an increasingly popular part of companies’ cybersecurity toolkit in recent years, researchers have run into an array of problems with the way they are structured and managed. Critics say the programs, particularly those run with intermediaries like HackerOne and Bugcrowd, often limit the scope of researchers’ work and their ability to share findings. These shortcomings, they say, could ultimately leave important software more vulnerable to “black hats,” or malicious hackers.
Katie Moussouris, a former HackerOne executive who has also helped Microsoft start a bounty program, has publicly called attention to these issues. In a keynote address at the RSA security conference in February, Moussouris, who holds significant stock in HackerOne, said that in their current form many bug bounty programs are superficial “security Botox,” meaning they're better for helping companies to look good than they are for actually securing software.
The leaders of bug bounty services counter that putting guardrails around bounty programs, at least temporarily, serves the larger goal of balancing white-hat ideals of total transparency with the needs of companies whose resources and reputations are on the line.
“Bug bounty programs are amazingly successful at identifying vulnerabilities,” says HackerOne CTO Alex Rice. "Getting companies working with [external] security researchers is the most important step.”
“Buying researchers’ silence”
The controversy surrounding the Voatz bug bounty isn’t an isolated case. In recent incidents involving PayPal, streaming platform Netflix, drone maker DJI, and videoconferencing software Zoom, security researchers reporting bugs through bounty programs found themselves tangled in procedural or contractual runarounds—some of them downright Kafkaesque.
In particular, researchers have been galled by nondisclosure clauses that are often part of bounties run through HackerOne and Bugcrowd. In order to submit a report to some public bounties, researchers must agree to restrictions on discussing their findings publicly. In limiting public knowledge about possible security vulnerabilities, nondisclosure clauses benefit individual companies, critics say, at the expense of broader advances in cybersecurity.
Nondisclosure clauses can be appropriate when security researchers are hired to conduct “penetration testing” under contract, critics grant. But when applied to incoming reports from the public, the clauses appear to undermine a widely accepted practice among cybersecurity researchers known as “coordinated vulnerability disclosure.”
A ticking clock sits at the core of the concept of coordinated disclosure. If a bug has been reported but not fixed within a reasonable time frame—generally, between 30 and 90 days—it is generally considered ethical for a hacker to disclose a bug publicly. That norm originated in the 1990s, when independent security researchers found some companies wouldn’t even acknowledge their reports of dangerous bugs. The threat of releasing a hacking method publicly encouraged businesses to fix their vulnerabilities quickly.
After a bug is patched, publicly discussing it can help programmers to fix or prevent similar vulnerabilities elsewhere. As cybersecurity analyst Keren Elazari has put it, this public dialogue helps make white-hat hackers “the Internet’s immune system.” A recent survey of cybersecurity professionals by the security firm Veracode found that 90% regard public disclosure of vulnerabilities as a “public good” that improves cybersecurity overall.
Chris Wysopal, Veracode’s CTO and one of the pioneers of coordinated disclosure, worries that the rise of bug bounties is weakening that knowledge sharing among security researchers. Recent cases illustrate exactly how that is happening.
For example, when Jonathan Leitschuh discovered a serious vulnerability in the videoconferencing software Zoom last year, he had coordinated-disclosure norms in mind. Ultimately, Leitschuh chose not to pursue a bug bounty Zoom offered through Bugcrowd, because nondisclosure terms would have prevented him from talking about his findings. The bug was fixed only because he was eventually able to go public, he says.
“[Zoom’s] first response was, This is not a vulnerability,” Leitschuh says. “After 24 hours of having the media holding their feet to the fire, they admitted, Okay, it’s a vulnerability.” Leitschuh now thinks that nondisclosure clauses in bug bounties are equivalent to “buying researchers’ silence.” Zoom declined to comment for this story.
Casey Ellis, cofounder and CTO of Bugcrowd, says his company encourages its customers to be generous in their disclosure terms and pushes clients to minimize restrictions. Rice at HackerOne says he also supports disclosure in many cases, but also that existing disclosure standards may not be all they’re cracked up to be. He admits that in the Zoom case, there were “clear benefits to disclosure,” but says that the public and the press often misinterpret disclosures.
“I’m not sure what benefit users get from publishing a bunch of unvalidated security vulnerabilities,” Rice tells Fortune.
The nondisclosure dance
The nondisclosure terms of bug bounty programs often appear to remain in force even if a bug is deemed “out of scope”—broadly, something that’s not considered a threat and therefore won’t be fixed. But the fundamental question of what constitutes a “valid” bug speaks to one of Moussouris’s biggest critiques.
For instance, recent vulnerabilities at PayPal and Netflix were deemed “out of scope” by workers who reviewed bug bounty submissions. But the terms of the bounty programs—PayPal’s through HackerOne, Netflix’s via Bugcrowd—nonetheless restricted the researchers from publicly discussing the exploits they found.
Both findings were ultimately published without permission. Though Rice says HackerOne allows researchers to request permission to publish in such cases, the researchers who reported the PayPal vulnerability did not receive clearance to disclose.
With Netflix’s vulnerability, a Bugcrowd worker warned the researcher that he had violated the platform’s terms by tweeting about his findings after they were deemed out of scope for the bounty. In a statement, Bugcrowd said in part that “it’s important that the disclosure comes only after a discussion between the researcher and customer’s program owners so that both parties reach a mutually agreeable disclosure timeline.” In cases in which a researcher violates disclosure restrictions, Bugcrowd “work(s) with the researcher to remove this information from public forums to protect the researcher and customer.”
The Voatz case, however, has become a dramatic example of the risks of the opacity built into many bug bounties. Because Voatz is considered critical election software, the MIT team ultimately was able to report their discoveries through the U.S. government’s Cybersecurity and Infrastructure Security Agency, instead of through HackerOne.
Voatz disputed their findings and accused the researchers of acting in “bad faith.” Voatz CEO Nimit Sawhney alleges that the MIT researchers were motivated by an “urge to make a scandal” as part of a “coordinated campaign” whose “main goal is to stop any and all Internet voting.” Specter defends his group’s turning to the media “because they would be best situated to clearly and accurately communicate information to the public at large.”
By early March, West Virginia found the MIT researchers’ claims credible enough that the state decided that it will use a different system for its May primary. On March 13, an independent research group released a second report confirming many of the MIT group’s claims and finding additional issues. According to reporting by Cyberscoop, the report included critical vulnerabilities that had been submitted through Voatz’s HackerOne bounty but were classified as noncritical by the election app.
Then on Monday, March 30, HackerOne announced that it was removing Voatz from the platform, the first time it has taken that drastic action. The move was apparently a response to Voatz’s response to the MIT researchers, including subsequent changes to strip legal protections from hackers testing its app.
Voatz CEO Sawhney characterized HackerOne’s move as a “mutual decision,” but the bug bounty company declined to confirm this characterization. “We work tirelessly to foster a mutually beneficial relationship between security teams and the researcher community,” HackerOne said in a statement to Fortune. “[The Voatz bounty program] ultimately did not adhere to our partnership standards and was no longer productive for either party.”
The irony of all this is that if the MIT group hadn’t skirted HackerOne’s nondisclosure terms and reported its findings to the federal government, the flaws in Voatz’s app may never have come to light at all.
“Chaos, every single time”
Both HackerOne and Bugcrowd have a financial interest in touting the benefits of bounties, while making things easy on their customers. HackerOne, which administers programs for the likes of Nintendo, Starbucks, and Slack, has raised $110 million in venture capital since its 2012 founding. Bugcrowd, a similar service, has raised just over $50 million, and its clients include Fitbit, HP, and Motorola.
But security veterans worry that the fashion for bug bounties, including among major firms, is eclipsing more effective approaches to software security.
Davi Ottenheimer has held executive security roles at MongoDB and EMC, now part of Dell. He considers bug bounties unnecessary to serious cybersecurity, and he says he has consistently gotten good-quality bug reports from independent researchers without running formal bounty programs. “The best researchers, sure, they’ll take some money,” Ottenheimer says. “But mostly what they want is a better world.”
A survey by Veracode confirms that. While 47% of responding organizations said they had a bug bounty program, on average only 19% of their bug reports came through those programs. And while 57% of respondents who had reported a bug said they expected communication about their report, only 18% expected payment.
The MIT researchers who uncovered the Voatz bugs echo that sentiment. “We were interested in figuring out how well they’d respond to the bugs we found,” says Specter. “We weren’t interested in the money at all.”
Veracode’s Wysopal feels messaging from bug bounty platforms has contributed to confusion. “They lead with [the idea that] the crowdsourced way is the best and most efficient way to secure your software,” he says. “But if you look at the economics of it, firms like Google and Facebook look at bug bounties as an add-on, a backstop, icing on the cake.
“The cake is, Let’s have trained developers with the right tools building secure software,” he adds.
Rice considers it HackerOne’s mission to advocate for the benefits of bug bounties, even if that means being flexible on ideals like transparency and disclosure.
“I cannot overstate how much work [disclosure] is for an organization and a communications team,” he says. "It’s chaos every single time...We have customers who sign up for the public scrutiny,” Rice adds, “and those who would rather not.”
But Ottenheimer says that’s exactly the problem: Companies want the good press that comes with bug bounties but without the transparency these programs should entail. “It’s about optics,” he says.
Ottenheimer points out that headline-generating bug bounties failed to prevent one of the biggest disasters in cybersecurity history. “They added a $2 million bounty to the Yahoo budget,” he says. “Yet 3 billion accounts were compromised [later that year].
“The news said, ‘Look how great they are—they spent $2 million.’ But that doesn’t map to safety at all.”
