[Info-vax] The global bug bounty marketplace

[John Dallman]

In article <sscc2o$uor$3 at dont-email.me>,
clubley at remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote:

> It's also more of a reputation thing. The organisation fixes the bug
> in a controlled manner instead of it suddenly becoming a major news
> story when someone finds it and uses it to exploit systems or
> extract private user data.

I've had to handle bugs that had been reported through a bug bounty
program. I have no idea how much was paid for them, but a few things were
interesting:

The organisation had 90 days to get fixes out before the bugs were
publicly disclosed. I'm in favour of that, even though it imposes
deadlines on me, because it means doing the fixes is actually important.
Buying bugs and sitting on them is counter-productive, because someone
else can discover them meanwhile, and potentially sell them to the
"offensive market."

The bugs we got were crashes caused by bad data files, almost certainly
created by "fuzz testing." They were just crashes, not full exploits.
They might have been capable of being developed into exploits, but we
didn't try: we just fixed the crashes, because that's /much/ easier than
proving that they can't be used as exploits, and proving it again each
time that piece of source is changed. 

Fuzz testing has to be automated to have any reasonable level of
productivity. I don't know how much CPU power you need for it - that will
vary quite a bit according to the kind of code you're attacking - but I
suspect hackers will concentrate on software where they can find enough
problems to at least pay their electricity bill. 

John