Friday, August 21, 2015

Why bug bounties?

"Rule #1 of bug bounties: No matter how much money you're offering, assume that someone evil found the bug first and didn't report it" - Colin Percival of tarsnap

This! This is why locating and fixing possibly exploitable bugs is so important and why bug bounties help.

If a black hat finds an exploit then they will make money. So there is a direct monetary reward for black hats finding vulnerabilities. Bugs = $.

If a developer ships software then they will make money. There is no money in creating perfect vaporware, only in completed software.
Shipped software = $.
Shipped software has bugs. Therefore your developers will be just as likely to innocently introduce bugs as prevent exploits. Not a good line of defense.

A fixed set of QA engineers will only ever find the bugs that they find. And they are on salary.
Time = $.
They will not find the bugs that are outside of the processes and skills of that fixed team.

So at this point, only one of our three groups have a direct financial reward for finding exploitable bugs in shipped software... and they won't be telling you about it. They have had a reason to be pounding on your software to the very best of their abilities and a reason to succeed. Their livelihood is dependent on being the first to that bug. So they probably were. How many 0 days were exposed by Stuxnet? Hacking Team?

Those that benefit most could have spent the most resources on finding the bugs. So you have to assume that they already did.

No comments:

Post a Comment