The bug bounty platforms HackerOne, Bugcrowd, and Synack serve as intermediaries between white hackers and companies who want to improve the security of their products. When used correctly, the logic is simple:- A hacker reports a vulnerability.
- The development company corrects the bug and reminds the hacker a reward in gratitude for the fact that he did the right thing.
But in reality, everything works differently. As the CSO investigation showed , companies and bug-bounty platforms turned the disclosure of vulnerabilities upside down so much that many experts, including former HackerOne policy director Katie Mussouri, call this a “perversion”.In short, instead of fixing bugs, companies prioritize bribing hackers, forcing them to sign the NDA as a prerequisite for paying remuneration. This fundamentally changes the logic of what is happening.Vulnerability Disclosure Procedure
The vulnerability disclosure program (VDP) is an almost mandatory requirement for many firms. For example, the US Federal Trade Commission recommends companies to adopt such procedures and fines for poor security practices. The Department of Homeland Security last year ordered all civilian federal agencies to introduce vulnerability disclosure procedures.However, for any agency or company, VDP is a huge headache. The procedure is as follows: security researchers report a bug and give you a maximum of 90 days to fix it. When time runs out - they call some of their favorite journalist and publish full information about the vulnerability on Twitter, and also speak at the Black Hat conference or DEF CON, if this is really a juicy bug.On the one hand, the vulnerability disclosure procedure provides a certain balance between the interests of the company, society and the security researchers themselves, who receive recognition for their work. However, there are a number of companies that may be concerned about the price of their shares and / or reputation, so that they prefer to pay money to get rid of the need to report to the public.Bug bounty platforms offer organizations a tempting alternative. Researchers report vulnerabilities in non-disclosure agreements (NDAs). They are literally paid for silence. Then the company does what it wants. Maybe fix these bugs that you reported if you want. It may not fix it, but you are forbidden to talk about it.Silence is a commodity
Silence is a commodity. And it seems that this product is in demand on the market. Demand creates supply. Therefore, the bug bounty platforms launched their activities in such a way as to offer customers what they are willing to pay for.Former HackerOne Policy Director Katie Mussouri believes the root of the problem is the commercialization of bug bounty platforms that are looking for exponential growth. For example, the HackerOne management set a goal to gather 1,000,000 hackers on the platform. It is important for them to attract as many companies of any size as possible under any conditions, under remuneration.
Katie Mussouri, former HackerOne Policy Director, founder of Luta Security“These commercial vulnerability search platforms ... are perverting the entire ecosystem, and I want it to stop even if I pay for it myself,” says Mussouri. As one of the leaders of HackerOne, she received a stock option and can count on a generous reward in the event of a successful public offering of HackerOne shares. “I appeal to you in spite of my personal financial gain.”Other independent experts agree that secrecy harms information security: “Rewards are best made transparent and open. The more you try to classify them and accept the NDA, the less effective they become, the more it comes to marketing, not security, ”says Robert Graham of Errata Security.Jonathan Leitschuh agrees with him, who last year disclosed a catastrophic vulnerability in the Zoom video conferencing program (installing a web server on a localhost without the knowledge of a user with remote command execution).A simple exploit when Zoom is on a localhost:<img src="http://localhost:19421/launch?action=join&confno=492468757"/>
Webcam activation without user permission:<iframe src="https://zoom.us/j/492468757"/>
Jonathan Leitschuh notified the company on March 26, 2019, but it did not fix the vulnerability, so exactly 90 days later the hacker published an article with a description in the public domain. The information spread widely and made a noise. After that, the company instantly released a patch.But the hacker did not receive a reward. “This is one of the problems with the bug bounty platforms in the form in which they exist right now. They allow companies to avoid the 90-day disclosure period, ”he says. - Many of these programs build their business on this idea of non-disclosure. In the end, it seems that they are trying to buy the silence of the researcher . ”Private Bug Bounty
Platform non-disclosure agreements such as HackerOne prohibit even mentioning the existence of private bug bounty programs. One tweet like “Company X has a private program in Bugcrowd” is enough to kick the hacker off the platform.Hackers are silenced by a whip and a carrot. Where the carrot is understandable, this is money. But there is a whip: for violation of the NDA agreement, researchers can be held accountable, including criminal prosecution. The same responsibility theoretically threatens hackers who, at their own peril and risk, publish information on vulnerabilities without entering into any agreements with the company, but simply being guided by generally accepted principles of hacker ethics and a statute of limitations of 90 days from the date of notification of the company.In 2017, the U.S. Department of Justice publishedguidelines for the protection of security researchers. According to the logic of the document, severe penalties for illegal hacking should not be applied to a citizen who is concerned about public safety and makes hacking in the public interest, trying to do the right thing. But this question remains before the court. If the hacker wants guaranteed legal protection from prosecution, he must sign the NDA, otherwise he will face imprisonment of ten years or more in accordance with the Computer Fraud and Abuse Act, CFAA. This is how private bug bounties should be understood.For example, take PayPal. On the official website indicatedthat each researcher must create a HackerOne account and agree to the terms of their private bug bounty program, including the NDA. If you report a bug in any other way, PayPal refuses to guarantee your safety and does not exclude the filing of a claim.That is, you can only report a vulnerability by signing an NDA, and nothing else. “By submitting an application or agreeing to the terms of the program, you agree that you cannot publicly disclose your findings or the contents of your application to third parties in any way without the prior written consent of PayPal,” the document says .
Similar private programs with NDAs are also available for other companies that pay rewards through HackerOne.This is unacceptable from the point of view of the Electronic Frontier Foundation: “The EFF strongly believes that security researchers under the First Amendment [to the US Constitution] have the right to report on their research, and that disclosing vulnerabilities is very useful,” says Andrew Crocker, the Foundation’s senior lawyer electronic frontiers. According to him, many leading security researchers refuse to work on bug-bounty platforms because of the need to sign the NDA.For example, Tavis Ormandy, a reputable hacker from the Google Project Zero project, took this position. Tavis refuses to sign the NDA, preferring email: “They may not read my reports if they don't want to, ” he says . The timer for 90 days is still ticking.
Tavis Ormandy is not the only security researcher who refuses to muzzle, CSO writes .Kevin Finisterre (@ d0tslash) refused $ 30,000 because DJI required to sign an NDA to pay a fee, and does not regret his decision. Because thanks to the disclosure of information, Kevin gained fame and respect in the information security community, and at the beginning of his career it is worth a lot.In the end, the existence of the NDA does not comply with the ISO 29147 and ISO 30111 standards, which define best practices for receiving vulnerability reports, correcting these errors, and publishing recommendations. Katie Mussouri is a co-author of these standards and assures that private bug bounties by definition cannot meet these standards, which describe the rules for receiving and processing information for a company: “When non-disclosure is a prerequisite or condition for reporting errors through the bug bounty platform, this fundamentally violates the vulnerability disclosure process described in the ISO 29147 standard, says Moussouri. “The purpose of the standard is to make it possible to report on vulnerabilities and [highlight] the issuance of recommendations for the affected parties.”Vulnerability disclosure theory argues that the short-term risk of public disclosure is outweighed by the longer-term benefits of fixing vulnerabilities, better informing users, and systemic security improvements.Unfortunately, platforms like HackerOne do not follow these principles. In his blog post, The Five Critical Components of a Vulnerability Disclosure Policy, HackerOne explains to customers how to shut up security researchers. In particular, it is recommended not to indicate the period after which researchers are allowed to publicly report on their work:
According to Mussouri, mature organizations can and should adopt their own vulnerability disclosure programs. If they are ready for an avalanche of dubious error messages, they can optionally set a bug bounty reward, but the intermediaries represented by HackerOne are of little help: “I told them before leaving,” Mussouri says, “if you guys can simplify the communication between researchers and vendors, that's good. But if you are trying to sell control, then you are doing the wrong thing. ”
