Radar Detectors and Bug Bounties

Who’s In the Right When Paying for Bugs?

The idea of paying hackers for information on bugs is not new. Lots of companies offer “bug” bounties. A few biggies are:

• Mozilla
• Facebook
• Google
• HP (via Zero Day Initiative, or ZDI)

Generally the consensus is that the more the companies know about bugs, the quicker they can fix them, and create a safer environment for us, the users.

But not everyone sees the process the same way. Microsoft, for example, refuses to pay for information on bugs unless it results in legal action (criminal) against the hackers who exploit it. Instead they run a BlueHat Prize Contest awarding $200,000 in prizes to the developers that provide the best solution for protecting a certain aspect of Windows.

The term “positive reinforcement” comes to mind. The contest ends on April 1, 2012. Perhaps then we’ll see if the tactic worked.

Just last week two big bug bounty contests happened – and lots of money was paid out. Pwn2Own is an annual event that challenges hackers, sorry “researchers”, to break web browsers sponsored by ZDI. For the first time ever Google’s Chrome browser was successfully hacked by the offensive-technology firm Vupen. Vupen used two different types of vulnerabilities to exploit Chrome, but was only willing to provide details on one of them.

In protest of Pwn2Own’s rules allowing entrants to refuse to disclose the exploits they use, Google withdrew support and launched its own Pwnium event. In the end they paid out $120,000 to two researchers and had both bugs fixed within 24 hours. Seems like the process works doesn’t it? IF the exploits are shared with the developers so they can be fixed.

But is it right? Does paying hackers really turn them into “researchers”?

Can legit companies ever compete with the black market prices on the vulnerabilities? Should there be legal action taken against companies that publically acknowledge a known bug, but refuse to disclose it – selling it to their own customers or on the black market?

It seems rather obvious that the answer should be yes right? A bug in the wrong hands could cause significant economic, political or even physical damage depending on what it is and how it is exploited.

But hold on. There is a precedent for similar activities being legal. The sale of radar detectors is legal in 49 of the 50 states. Their sole purpose is to assist you in evading the police and breaking the law (speed) with impunity. But who’s responsible if you get into an accident at extreme speed? You are of course. Not the radar detection reseller or manufacturer.

The same should be true of companies that research, identify and sell vulnerabilities. Knowledge of a bug, even selling that knowledge is like being a radar detector reseller. What the end customer does with the knowledge is out of their hands.

Or is it?

Where do you come down on the issue? Is selling bug information something that should be made illegal? Will paying for bugs proliferate the problem, or help mitigate possible damages?