×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Joys of Running a Bug Bounty Program

timothy posted more than 3 years ago | from the do-you-guys-buy-moths-as-well-as-caterpillars? dept.

Bug 52

Trailrunner7 writes "When Barracuda Networks started its bug bounty program about three months ago, company officials weren't exactly sure what to expect. They didn't know whether there'd be an onslaught of submissions or the sound of crickets chirping. The reality turned out to be somewhere in the middle. Overall, the company has been getting about 10 bug reports a month, none of which has been very serious. But that doesn't mean the program hasn't been a success. Peck said that Barracuda also had run into the same problem that Google and others have: hackers don't pay much attention to directions. The company set out specific parameters for what kind of vulnerabilities in which products were in scope for the rewards, but some researchers still submitted flaws that were out of bounds, including bugs in partners' products or in the Barracuda corporate Web site."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

52 comments

Drippin' theist chronicles (-1, Offtopic)

CopyrightMadowOwner (1992526) | more than 3 years ago | (#35196586)

What slowness can I offer you? In regards to the article: you were never greasy or laughy, now were you!?

Re:Drippin' theist chronicles (-1, Offtopic)

CopyrightMadowOwner (1992526) | more than 3 years ago | (#35196594)

Why aren't you out there pleasing your man, you little whore!? There should be a man's cock jammed right down that tight little rectums of yours until it's leakin' out cum like it's a faucet!

Hackers and directions (2)

MrEricSir (398214) | more than 3 years ago | (#35196598)

Hell, I could have told you that hackers don't read directions.

But would you have read my advice?

Re:Hackers and directions (1)

RavenChild (854835) | more than 3 years ago | (#35196798)

Hackers are hackers because they don't follow directions. Using something as intended goes against hacking's very essence.

Re:Hackers and directions (2)

symbolset (646467) | more than 3 years ago | (#35196980)

If you give web designers a place to submit bug reports on your website, even if it's not exactly topical, they'll use it. Some web designs are truly unfortunate. If HP published the physical location of their web design teams they'd probably have to enroll them in something similar to a witness protection program.

Re:Hackers and directions (0)

Anonymous Coward | more than 3 years ago | (#35196986)

Then not paying them as expected should suit them nicely.

The whole "hackers don't play by the rules" doesn't wash with me. Part of hacking is a feel for *which* rules to bend or break...

Re:Hackers and directions (2, Funny)

Anonymous Coward | more than 3 years ago | (#35196994)

Wait, this was covered in Dilbert years ago.
The pointy-haired boss announced there would be bonuses based on bugs found.

Wally shouted "woo hoo, I'm writing myself a minivan today"

What? (3, Interesting)

valkabo (840034) | more than 3 years ago | (#35196608)

Hackers are excellent at following directions. They are just also excellent at seeing where the directions are flawed and exploiting them. What.. you think steve the hacker is finding holes in your software by guessing? No. He uses the program like it is suppose to be used and then tracks down the issues he is looking to exploit. You can't break a rule if you don't totally understand it.

Re:What? (0)

Anonymous Coward | more than 3 years ago | (#35196750)

Methinks you don't have much of a history either hacking or reverse engineering. Guessing is usually half the job.

OT: last week when trying to crack some program's behavior I was stepping through 200 pages of assembly, looking for the magical branch instruction; somehow I immediately pinpointed it absent any contextual information whatsoever. I was stumped. // end of trivial example

Re:What? (2)

sortius_nod (1080919) | more than 3 years ago | (#35196786)

I'm thinking you don't either by saying that it's "guessing".

An informed guess is different to a blind guess, and to be quite frank, blind guesses don't generally find exploits or bugs.

That said, running in and guessing isn't what you do when you want to break a system, generally you need to know how the system works, or know enough to be able to theorise what might break it. It has nothing to do with guessing.

Re:What? (0)

Anonymous Coward | more than 3 years ago | (#35196804)

An informed guess is still a guess. You're simply arguing semantics by stating the obvious.

Re:What? (1)

TimHunter (174406) | more than 3 years ago | (#35198878)

You can't break a rule if you don't totally understand it.

Uh, what? Frequently you break a rule because you don't understand it.

Just for example, suppose I tried to upgrade the electrical wiring in my house without understanding the electrical system building code. The building inspector won't approve my changes because I broke the rules about electrical wiring.

Re:What? (0)

Anonymous Coward | more than 3 years ago | (#35201636)

You can't break a rule if you don't totally understand it.

Explain these guys: http://en.wikipedia.org/wiki/Script_kiddie

Pay up if they fix the "out of bounds" issues (2)

PatPending (953482) | more than 3 years ago | (#35196630)

The company set out specific parameters for what kind of vulnerabilities in which products were in scope for the rewards, but some researchers still submitted flaws that were out of bounds, including bugs in partners' products or in the Barracuda corporate Web site."

If they do in fact fix those "out of bounds" issues and/or its corporate web site then they should pay something to the discoverer. Only if they don't do anything about them should they not pay anything.

Re:Pay up if they fix the "out of bounds" issues (4, Insightful)

Wrath0fb0b (302444) | more than 3 years ago | (#35196638)

If they do in fact fix those "out of bounds" issues and/or its corporate web site then they should pay something to the discoverer. Only if they don't do anything about them should they not pay anything.

If I ask a contractor to assess my foundation and he tells me that my water heater is busted, do I owe him money if I later replace the heater? There was an explicit deal regarding which flaws qualify for bounties and which do not. If someone submits one contrary to an honest reading of those terms, they are owed nothing.

Re:Pay up if they fix the "out of bounds" issues (2)

Voyager529 (1363959) | more than 3 years ago | (#35196684)

That depends. You're right if you're asking him to limit his assessment to the foundation, however, if he sees that the water heater is set to burst in such a manner that when it does break that it will damage the foundation, then yes, I'd say you're still on the hook. At the end of the day, a risk to the foundation was found. If you're limiting the risk to only those which have already manifested, then yes the case could be argued, but you'd be a fool to not consider it an assessment within the scope of the question. There's a difference between that (finding a secondary answer to the question being asked) and simply saying that the heater is broken so your water won't be hot. I'd say that the former should still count, while the latter should not.

Re:Pay up if they fix the "out of bounds" issues (3, Funny)

TubeSteak (669689) | more than 3 years ago | (#35197240)

Water heaters aside, I think you'd be wise not to piss of people who have shown they can find holes in your product &/or corporate website, regardless of their ability to follow directions.

Re:Pay up if they fix the "out of bounds" issues (1)

bWareiWare.co.uk (660144) | more than 3 years ago | (#35198226)

The question about what is under the contract is only part of the issue. If an unsolicited observation saves you money (i.e. you wouldn't have noticed yourself and you were able to take preventative action) it would make sound economic sense to express your gratitude.

Re:Pay up if they fix the "out of bounds" issues (1)

Abstrackt (609015) | more than 3 years ago | (#35200154)

The question about what is under the contract is only part of the issue. If an unsolicited observation saves you money (i.e. you wouldn't have noticed yourself and you were able to take preventative action) it would make sound economic sense to express your gratitude.

Interesting point. One thing isn't clear to me though, and I'm honestly curious, what constitutes an acceptable gesture of gratitude? Is a company required to express their gratitude towards someone's observation with money? Or is it enough to give them a personalized "thank you" in an email, offer them a free copy of future versions of the software or simply give them some public recognition?

Re:Pay up if they fix the "out of bounds" issues (2)

kaiser423 (828989) | more than 3 years ago | (#35196836)

If it saved you money and/or fixed a problem; aka his service reaped unexpected obunties, I would think that the respectful thing to do would be to pay him. But then again, I do actually want people to tell me when other things outside of scope are wrong, because, you know, that's helpful and worth something.

Legal vs ethical. (1)

khasim (1285) | more than 3 years ago | (#35197006)

If I ask a contractor to assess my foundation and he tells me that my water heater is busted, do I owe him money if I later replace the heater?

Legally, that would depend upon the specific wording of the contract you signed with him.

Ethically, if he found a flaw that you did not know about and told you about it in a manner that allowed you to save money by fixing it before it got worse, then yes, you do owe him.

Re:Pay up if they fix the "out of bounds" issues (2)

JWSmythe (446288) | more than 3 years ago | (#35197014)

    Actually, it's much different than that.

    It would be like you hired a contractor to assess the foundation of your house (your application), and instead he tells you about problems the front door on the adjoining house (your website), or about the foundation of houses in another state (competitors applications). Only an idiot would pay for such a report.

    If (and only if) they asked for a comprehensive evaluation of the security of their company, would the web site be included in it, unless the web site is essential to the operation of their application. If they intended to get paid for the work, they shouldn't have reported it through the bug tracking system. It could have been reported independently. I didn't read far enough to see if the bugs were really security bugs, or if they were simply rendering errors.

Re:Pay up if they fix the "out of bounds" issues (3)

SharpFang (651121) | more than 3 years ago | (#35197238)

Actually, they are owed gratitude and what little courtesy demands. You have no contractual obligation to reward them, but in all fairness, if they discovered an error you didn't know about, where you didn't expect it, they deserve some kind of gratitude.

Re:Pay up if they fix the "out of bounds" issues (0)

Anonymous Coward | more than 3 years ago | (#35199180)

If I ask a contractor to assess my foundation and he tells me that my water heater is busted, do I owe him money if I later replace the heater? ...

Technically you don't owe him anything but it's good manners at least to say thanks and/or recommend such honest contractor to your friends. Money is good incentive but most hackers don't do their research for it. They usually do it for other reasons like gaining knowledge and recognition. A little example would be Geohotz vs Sony on his PS3 hack.

Re:Pay up if they fix the "out of bounds" issues (1)

scdeimos (632778) | more than 3 years ago | (#35196650)

There are still "good citizens" out there that will report bugs without an expectation of payment.

One of our applications files cases for exceptions through FogBugz, giving users the opportunity to add their own comments before submission. We know some users just click Cancel (thus not reporting an issue) but maybe 10% of submissions have a comment and about 10% of those say anything meaningful to help us replicate the bug. I don't recall anybody asking for money before telling us what they did to break it.

Re:Pay up if they fix the "out of bounds" issues (1)

hedwards (940851) | more than 3 years ago | (#35196914)

That's partially because we're used to bug reports that go somewhere, and we have absolutely no clue as to what exactly is done with the information. And often times we're not told what information is being sent anyways. I don't know what things are like where you're working, but I do know that a lot of people aren't going to trust random strangers. Which in a sense is odd, given that there's enough trust to run the program, but there you go.

Re:Pay up if they fix the "out of bounds" issues (1)

scdeimos (632778) | more than 3 years ago | (#35197308)

Yes it is rather strange, isn't it (trusting you enough to run your application but not enough to log error reports)?

We go to a great detail of trouble showing the user what information will be logged (given that this is running inside the application's exception handler we have to be very careful about triggering more exceptions) so that users can make an informed decision about the Ok/Cancel buttons on the exception dialog. Still, we occasionally get users (staff or customers) that complain to us through other channels (phone/email) about problems that they've been having and then have to fess-up that they've never bothered to log an exception report.

Sometimes they've been experiencing the problem for months and we could have fixed it in a couple of minutes and had it out in the wild a couple of releases ago. Maybe we should take a leaf out of Sony/BMG's book and just do it without their consent. (jk)

Re:Pay up if they fix the "out of bounds" issues (0)

Anonymous Coward | more than 3 years ago | (#35196680)

If they do in fact fix those "out of bounds" issues and/or its corporate web site then they should pay something to the discoverer. Only if they don't do anything about them should they not pay anything.

Well, since one of the examples was not their products, I'd just suggest they pass it on, or pass it on ourselves, with a thank you note. The website itself...maybe a coupon for something with the thank you note. Heck, coupons in general. Always a way to show how magnanimous you are.

Re:Pay up if they fix the "out of bounds" issues (1)

noidentity (188756) | more than 3 years ago | (#35196730)

The company set out specific parameters for what kind of vulnerabilities in which products were in scope for the rewards, but some researchers still submitted flaws that were out of bounds, including bugs in partners' products or in the Barracuda corporate Web site.

Who would complain that people are submitting more bug reports than asked for?!? They're getting reports for their website, without any need to pay a bounty. The problem with this is? Even bug reports of a competitor's product are useful in letting them know what areas are important to customers.

Re:Pay up if they fix the "out of bounds" issues (1)

blackest_k (761565) | more than 3 years ago | (#35197910)

It's generally really difficult to get through to anyone who could actually get a bug fixed.

the sales contacts won't be able to do anything
dave from bangalore can't deviate from his scripts and will not pass anything back to the engineers on the other side of the world. so who , where?

so given the opportunity to pass bug reports back to a company, why not pass your bug information to them. it's not like there is an alternative point of contact available for these other bugs.

What is really crazy is that the corporate mind thinks this is people wanting to get paid for fixing unrelated bugs it isn't. It's people wanting bugs fixed even if it is a bug in the partners software at least corporation a has a line of communication to corporation b and hopefully the bug can be resolved to the benefit of both corporations and their customers.

At least with open source software you can submit a bug about anything and hope to see it get fixed or find work arounds or updates or if needs be fix it yourself (it is always going to be easier for someone who has worked on the code base to find the error fix it and submit a patch).

Barracuda (4, Funny)

American AC in Paris (230456) | more than 3 years ago | (#35196658)

...does "your messaging client is such a kludge that I would frankly rather try use an actual elongated carnivorous fish to IM with my co-workers" count as a bug?

Re:Barracuda (1)

Jerf (17166) | more than 3 years ago | (#35199532)

I was the team lead on that product for a long time. It's based on a standard XMPP server. Use any standard XMPP client you like, if your administrator lets you install it. (If not, well... I can't really solve that problem.) The shipped client has deliberately been simplified for non-power users, as a result of a lot of feedback from such people. For example, XMPP's resource handling confuses most people, so it has been hard-coded in the client. If you're a power user you should definitely use Pidgin or Trillian or something.

Huh. Really? (0)

Octopuscabbage (1932234) | more than 3 years ago | (#35196696)

So people who do things against the law do not like to follow rules? Really?

Re:Huh. Really? (0)

Anonymous Coward | more than 3 years ago | (#35196814)

I see you're one of these people that think anyone called a "hacker" must automatically be a criminal.

Puny bounties (3, Funny)

Animats (122034) | more than 3 years ago | (#35196748)

There was once a real-time OS company that gave you a Bug, a Volkswagen Beetle, if you found a bug in their OS. They gave away about two cars a year, and it was worth it.

Re:Puny bounties (1)

hedwards (940851) | more than 3 years ago | (#35196926)

That's always a problem, there's a balance, you can't give away something that expensive for every bug no matter how tiny. But you also do have to compensate researchers enough to make it worth their while for more important bugs.

Re:Puny bounties (1)

syousef (465911) | more than 3 years ago | (#35196962)

That's always a problem, there's a balance, you can't give away something that expensive for every bug no matter how tiny. But you also do have to compensate researchers enough to make it worth their while for more important bugs.

So only guarantee small bounties, but then generously offer disgressionary rewards for important bugs then use the publicity when you do give away something of value to get more researchers interested. Still cheaper than highering a traditional test team.

Re:Puny bounties (-1)

Anonymous Coward | more than 3 years ago | (#35197126)

that gave you a Bug, a Volkswagen Beetle, if you found a bug in their OS

That's really appropriate. We all know how buggy Volkswagens are.

/Ducks.

Re:Puny bounties (1)

im_thatoneguy (819432) | more than 3 years ago | (#35197226)

There was once a real-time OS company that gave you a Bug, a Volkswagen Beetle, if you found a bug in their OS.

The latest generation of VW Bug? Why not just knock them over the head and steal their children? Why on earth would anyone submit a bug if there was a chance they might have to drive a VW Beetle?

Rule of First Sale (0)

Anonymous Coward | more than 3 years ago | (#35199318)

You can always just sell it for some cash.

How to ask questions/report bugs intelligently. (0)

Anonymous Coward | more than 3 years ago | (#35196768)

People have forgotten how to ask questions intelligently (reporting bugs involves the same sort of etiquette/thinking). Actually, they never really learn how to in the first place.

Not Just Hackers (4, Insightful)

Bieeanda (961632) | more than 3 years ago | (#35196808)

I hate to break it this way, but most people don't have the QA skills of a goldfish. Most of them, even given guidelines, walkthroughs, or even formal instruction on how to write a bug report, would rather just drop a single, unhelpful line and get back to waiting for a cheque.

Re:Not Just Hackers (0)

Anonymous Coward | more than 3 years ago | (#35196826)

I have to agree with you there. We had one guy QA our web app and we started seeing bug reports pop up for adobe.com and no we aren't adobe.com. When we questioned him about it his response was something along the lines of "oh that's not our website?". After that I told my PM I couldn't work with him anymore.

Heh . . (1)

228e2 (934443) | more than 3 years ago | (#35196936)

I remembered finding a bug in their bug submission portal . . . it was right of me to never submit it, right?

Re:Heh . . (1)

SharpFang (651121) | more than 3 years ago | (#35197262)

Depends what it was concerning. Same problem as running fsck from a corrupted filesystem: you have no warranty fsck itself is not corrupted and won't corrupt the filesystem further.

the catch (0)

Anonymous Coward | more than 3 years ago | (#35197506)

What they don't mention is that researchers aren't allowed to demonstrate vulnerabilities using Barracuda's demo website. You might have found a flaw but you'll have to buy the damn app to get a bounty on it. There's no excuse for this; it's nigh-impossible to accidentally harm a website with XSS or CSRF. Google and Mozilla say 'no DoS' and leave it at that.

Also, since when was XSS in the administration console non-critical?

smells fishy alright (0)

Anonymous Coward | more than 3 years ago | (#35197996)

Have they hired someone new @ Barracuda to help "wallpaper" the net with junk news about their company. Look for lotsa robo-spam on many forum posts next, I guess.

I noticed that someone in the last couple days posted 4 or 5 glowing reviews of their workplace on glassdoor.com. Just about the only positives present there...

I'm working on a better bounty program (1)

jimktrains (838227) | more than 3 years ago | (#35198288)

I was in the middle of writing a site for bug/feature bounties that any project could sign up and use, but I'm not quite able to demo it yet. I've slowed work because I got tons of negative feedback on the idea from people thinking that it's a beaten concept and there was no reason to write a (better) app since others are out there. I'm still working, but slowly.

cuda sux (0)

Anonymous Coward | more than 3 years ago | (#35202138)

Barracuda is an ungrateful company. You should try working there...

Another poor implementation... (0)

Anonymous Coward | more than 3 years ago | (#35209334)

Why an organization would attempt to limit the bug submission process to only a select few products is ridiculous. You completely eliminate other issues which can be discovered as proven by the comments in the article posted above. Why not allow an open submission process with specific parameters on financial compensation for submission. Google should be reading this as well. By adopting this policy it will ultimately improve all software released as well as not punish those who are inclined to want to challenge themselves mentally by finding bugs and gaps in software. There seems to be a disturbing trend in the corporate world as of late with the prosecution of hackers/crackers etc. If this trend continues we will be in trouble. Eventually the age of the white and black hat hackers will fade and all we will be left with is Black hat hackers and Grey Hat hackers who simply just keep their mouths shut.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...