[Info-vax] The global bug bounty marketplace

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Fri Jan 21 14:26:40 EST 2022 

On 2022-01-20, John Dallman <jgd at cix.co.uk> wrote:
> In article <sscc2o$uor$3 at dont-email.me>,
> clubley at remove_me.eisner.decus.org-Earth.UFP (Simon Clubley) wrote:
>
>> It's also more of a reputation thing. The organisation fixes the bug
>> in a controlled manner instead of it suddenly becoming a major news
>> story when someone finds it and uses it to exploit systems or
>> extract private user data.
>
> I've had to handle bugs that had been reported through a bug bounty
> program. I have no idea how much was paid for them, but a few things were
> interesting:
>
> The organisation had 90 days to get fixes out before the bugs were
> publicly disclosed. I'm in favour of that, even though it imposes
> deadlines on me, because it means doing the fixes is actually important.
> Buying bugs and sitting on them is counter-productive, because someone
> else can discover them meanwhile, and potentially sell them to the
> "offensive market."
>

90 days is the normal industry standard and is a reasonable period to
allow the vendor to fix the problem before the researcher discloses the
vulnerability.

However, if structural problems are discovered as a result of the research,
the vendor may ask for more a bit more time to fix the underlying problems,
but of course the researcher is under no obligation to grant the vendor
that extra time.

However, if the vendor is seen to be acting in good faith, that can help
swing the decision towards the researcher allowing the vendor more time
before disclosing the vulnerability.

> The bugs we got were crashes caused by bad data files, almost certainly
> created by "fuzz testing." They were just crashes, not full exploits.
> They might have been capable of being developed into exploits, but we
> didn't try: we just fixed the crashes, because that's /much/ easier than
> proving that they can't be used as exploits, and proving it again each
> time that piece of source is changed. 
>

It's also worth looking at the rest of the code to see if the missing or
incorrect tests that allowed bad data through are also a problem elsewhere
and in a place where more serious damage can be done, such as actually
getting shellcode you control running within the program.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

More information about the Info-vax mailing list