×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Case For a Government Bug Bounty Program

Soulskill posted about a year ago | from the 40-cents-for-a-cockroach,-75-cents-for-a-bedbug dept.

Bug 53

Trailrunner7 writes "Bug bounty programs have been a boon for both researchers and the vendors who sponsor them. From the researcher's perspective, having a lucrative outlet for the work they put in finding vulnerabilities is an obvious win. Many researchers do this work on their own time, outside of their day jobs and with no promise of financial reward. The willingness of vendors such as Google, Facebook, PayPal, Barracuda, Mozilla and others to pay significant amounts of money to researchers who report vulnerabilities to them privately has given researchers both an incentive to find more vulnerabilities and a motivation to not go the full disclosure route. This set of circumstances could be an opportunity for the federal government to step in and create its own separate bug reward program to take up the slack. Certain government agencies already are buying vulnerabilities and exploits for offensive operations. But the opportunity here is for an organization such as US-CERT, a unit of the Department of Homeland Security, to offer reasonably significant rewards for vulnerability information to be used for defensive purposes. There are a large number of software vendors who don't pay for vulnerabilities, and many of them produce applications that are critical to the operation of utilities, financial systems and government networks. DHS has a massive budget–a $39 billion request for fiscal 2014–and a tiny portion of that allocated to buy bugs from researchers could have a significant effect on the security of the nation's networks. Once the government buys the vulnerability information, it could then work with the affected vendors on fixes, mitigations and notifications for customers before details are released."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

53 comments

You can trust the government. (1)

Anonymous Coward | about a year ago | (#43877507)

No way they are going to buy these vulnerabilities and use them to spy on Americans or weaponize them.

This week on Dog the Bug Bounty Hunter.... "Youngblood, get my port scanner I got a zero day cornered over here. Freeze motherfucker!"

Wrong incentive (0)

Anonymous Coward | about a year ago | (#43877539)

How about holding people responsible for writing bad code and fine them, or allow lawsuits. Engineers who design bridges that fall down sure feel the consequences.

Re:Wrong incentive (1)

lister king of smeg (2481612) | about a year ago | (#43877757)

there is a large difference. the expoits in code are generally used as attacks and don't effect the normal use of the code. this would be the equivalent to holding the engineering firms that design the bridge responsible for the terrorist that bombed it.

Re:Wrong incentive (1)

Minwee (522556) | about a year ago | (#43877853)

this would be the equivalent to holding the engineering firms that design the bridge responsible for the terrorist that bombed it.

If the terrorist was able to bring down the bridge using three toothpicks, an ice cube tray and a plastic whistle that he found inside a cereal box, then yes I would hold the engineers responsible.

Re:Wrong incentive (1)

TheCarp (96830) | about a year ago | (#43877779)

Wouldn't it be more relevant to consider what happens to engineers who design bridges that collapse when someone blows them up? That would be a more relevant comparison. Pretty sure they get contracts to design replacement bridges.

Re:Wrong incentive (2)

ShanghaiBill (739463) | about a year ago | (#43877793)

How about holding people responsible for writing bad code and fine them, or allow lawsuits.

That would immediately end the free software movement. No more Linux. No more gcc. No more Firefox ...

Commercial software would become far more expensive and have far fewer features.

There would be a black market in cheap "as is" software written by anonymous authors and hosted offshore.

Re:Wrong incentive (1)

h4rr4r (612664) | about a year ago | (#43878019)

Why?

It would be simple to only allow liability up to the cost of the software. That would provide incentive to commercial folks to fix their software and not overly burdon FOSS software.

Re:Wrong incentive (1)

ShanghaiBill (739463) | about a year ago | (#43878117)

It would be simple to only allow liability up to the cost of the software. That would provide incentive to commercial folks to fix their software and not overly burdon FOSS software.

Except that most FOSS isn't written for free. Companies pay people to write the code. If a company pays you to write a new device driver for Linux, and it turns out there is a bug, they you are liable for your full salary in government fines. Right? What programmer would work under those conditions? The company that paid you would, of course, have no liability, because they gave the software away for free (only charging for the hardware device).

Re:Wrong incentive (1)

h4rr4r (612664) | about a year ago | (#43895907)

The company would sue you/fine you?
The end user did not pay, so he has no one to sue/fine. I would assume you would have in your contract that the company cannot hold your responsible. Companies are generally responsible for the actions of their employees.

Public Debt - Privativing Profits (0)

Anonymous Coward | about a year ago | (#43877547)

So now we are going to support companies by buying their vulnerabilities for them?

Re:Public Debt - Privativing Profits (3, Insightful)

kasperd (592156) | about a year ago | (#43878099)

So now we are going to support companies by buying their vulnerabilities for them?

It is worse than that. It is essentially rewarding companies for not taking security seriously.

There is software backed by companies which do offer a bug bounty, and there is software backed by companies which offer no bug bounty. Having a bug bounty for more software is desirable. But having government pay it for those companies, who do not pay it themselves, is not the proper solution. A much better solution would be that whenever the government buys software, it will primarily buy from companies, which do offer a bug bounty.

This will mean the software being bought is more likely to be secure. Additionally it will put a force on the market, driving it in the right direction.

The only situation where the government should be paying any bug bounties, is when the bugs are in software or services offered by the government. For example it could apply to security problems found in government websites. But if those products are bought from private companies in the first place, it should be made part of the contract, that the vendor will pay the bug bounty and fix the bug.

Found step 2 (0)

Anonymous Coward | about a year ago | (#43877549)

1. Write flawed buggy code, still useful enough for wide adoption. Possibly with flaws caused by extremely unlikely inputs.
2. "Research" said flaws and notify US-CERT, obtaining bug bounty.
3. Profit

fuck that (0)

Anonymous Coward | about a year ago | (#43877559)

they'll just turn around and use them against us without disclosing to the general public

Bad idea (2)

Raul654 (453029) | about a year ago | (#43877571)

This is essentially a government subsidy to software companies that produce crappy code.

Look at Walmart. it pays its employees so little money that they have to use government assistance like foodstamps and medicare. Walmart shareholders reap the benefit, and the public is left taking care of their employees.

Here's a better idea - if a company is making software that's critical to national infrastructure, make them liable for any bugs that occur (and for smaller companies, require them to carry insurance up to a certain level of liability).

Re:Bad idea (1)

ShanghaiBill (739463) | about a year ago | (#43877873)

Here's a better idea - if a company is making software that's critical to national infrastructure, make them liable for any bugs that occur

If someone implemented your idea a few decades ago, there would be no vulnerabilities today ... because the Internet, the World Wide Web, etc. would have never been created.

Re:Bad idea (1)

Raul654 (453029) | about a year ago | (#43877903)

That's just not true. The internet and world wide web both existed in the early 90s, and neither was critical to national infrastructure at the time.

Re:Bad idea (1)

ShanghaiBill (739463) | about a year ago | (#43878023)

That's just not true. The internet and world wide web both existed in the early 90s, and neither was critical to national infrastructure at the time.

So then as soon as they became critical, the original authors would have to assume billions in liability? Or would software be exempted if it was not critical at the time it was written? So the liability would only apply to things that were "critical" before they existed? It sounds to me like this hasn't been thought through very well.

Re:Bad idea (1)

Raul654 (453029) | about a year ago | (#43878129)

It would be fairly easy to have DHS come up with a list of things (physical locations, services, etc) to designate as critical to national infrastructure. In fact, I'd be shocked if they don't already have such a list already.

The organization that runs these these locations/services would have to build into all of their software contracts a liability clause.

Problem solved.

Re:Bad idea (1)

ShanghaiBill (739463) | about a year ago | (#43878619)

The organization that runs these these locations/services would have to build into all of their software contracts a liability clause.

Problem solved.

Except the problem isn't solved. Our infrastructure is already underfunded. Making all the software cost ten times as much isn't going to help that. Every upgrade will also need new liability clauses and legal review. So upgrades will be less frequent, and our most critical infrastructure will be running the oldest and crappiest code, often written by companies that no longer exist because they were sued into bankruptcy. The military already learned this lesson: they found that the extremely expensive "mil-spec" software was their least reliable, and cheap COTS (commercial off the shelf) was far more cost effective.

Re:Bad idea (1)

thoth (7907) | about a year ago | (#43879011)

There's a couple of logic holes here.
First, who wrote that mil-spec software? Was it a contractor or private corporation? Ah, so the real blame on unreliable expensive software is with some private corporation, not the government, right?
As for COTS being more effective, that's great assuming the critical infrastructure can be run on COTS.

As far as this bug bounty, it is a terrible idea. Sorry corporate America, if you want to keep your code private and reap the corresponding profits, you also get to assume the expense of fixing it and various liabilities if applicable. If your stuff isn't fit for infrastructure, then you get cut out of the bidding/purchase process entirely and replaced with some entity that is willing to. You don't get to socialize the cost of your bugs and private the profits, that's total bullshit.

I would only support this bug bounty for open source software, whereby the bugs and fixes are usable by anyone that wants to.

Re:Bad idea (1)

socode (703891) | about a year ago | (#43882229)

If it was mil-spec, there should have been a pretty stringent acceptance process. Why would anyone sign up to unlimited liability?
-there was an agreed spec
-the client set the acceptance criteria
-they delivered what was in the spec
-triggering acceptance finalizes the contract and their liability is limited

Re:Bad idea (1)

kamelkev (114875) | about a year ago | (#43877891)

Agreed. Reminds me of Scott Adams' famous "Write me a new minivan" Dilbert comic:

http://search.dilbert.com/comic/Write%20Minivan

The only viable solution is to assert a cost to the providers of the software. If said cost is linked to such a bounty program, all the better - but you clearly cannot create a scenario in which writing bad code somehow ends up benefiting the software producers.

Re:Bad idea (1)

h4rr4r (612664) | about a year ago | (#43878035)

It is worse than that.
Walmart actually teaches its employees how to file for these benefits and markets these programs to them actively.

The code that really matters (1)

game kid (805301) | about a year ago | (#43877587)

Will there be a bug bounty program for our codes of law, or do I still have to be in a corporation and pay them for my fixes [opensecrets.org] ?

Re:The code that really matters (1)

rodarson2k (1122767) | about a year ago | (#43879111)

That was my first thought. Why can't we point out loopholes in the tax code and get a portion of the proceeds from tightening the legal code?

Why can't we interface prosecutorial databases and law books to find statutes that haven't been enforced in several decades & argue for their dismissal?

Actually, that would make a pretty fun platform when it comes to running for an elected office.
      Find useless red tape & I'll work to eliminate it. Find tax loopholes & I'll close them.
      Show me the government's waste & i'll trim the fat. Go go crowd government.

reward bail money ? (3, Funny)

WillgasM (1646719) | about a year ago | (#43877625)

Is the reward money enough to get me out of federal prison when I'm arrested for unauthorized access?

Too easily abused (1)

Billy the Mountain (225541) | about a year ago | (#43877635)

Some software authors would intentionally create bugs that their accomplices would then "discover".

Law instead (0)

Anonymous Coward | about a year ago | (#43880725)

Enforce that all proprietary software distributed at large to customers, must have bounty programs paid by the owner company,
to a specific percentage of sales or profit ratio or some minimum or maximum range.

Ugh (1)

thoth (7907) | about a year ago | (#43877639)

This sounds like a terrible idea. There are times the government should get involved in something, and time they shouldn't. This is one of those times they shouldn't.

It isn't the charter of any federal agency to shore up the products of private corporations. Corporations should be doing that anyway, and under the typical free market is awesome attitude most users here have, the expense of paying for bug discovery and fixes should factor into the corporation's pricing, profits, potential liability (haha) and so on. If the government starts picking up the tab, corporations will just quit doing their own QA.

Citizen's now have to pay so Microsoft can fix it's product? Don't they make billions of profit every quarter? How about investing some of that into... I don't know... better development and QA??

Plus, with the government offering a bounty, that effectively means the people wind up paying for fixes for products they many not use.

This is just more corporate welfare for irresponsible/lazy ones that are unwilling to properly invest in security.

Jail Time / Recruitment (1)

Baby Duck (176251) | about a year ago | (#43877647)

When you find the bug, they are just going to throw you in jail like they do with other vulnerability exposers. Then they'll offer you an out - be employed by them permanently at crap wages to avoid prison time.

Re:Jail Time / Recruitment (1)

idontgno (624372) | about a year ago | (#43878817)

Kinda like Snake Plisskin, except without the the tattoo, the eyepatch, the stealth glider, the weapons, or the general bad-assedness. Like Snake without the cool stuff. A nerd Snake.

Why? (1)

TubeSteak (669689) | about a year ago | (#43877669)

But the opportunity here is for an organization such as US-CERT, a unit of the Department of Homeland Security, to offer reasonably significant rewards for vulnerability information to be used for defensive purposes. There are a large number of software vendors who donâ(TM)t pay for vulnerabilities, and many of them produce applications that are critical to the operation of utilities, financial systems and government networks.

Why should the government subsidize these businesses?
I wouldn't have a problem with it if the program was revenue neutral, meaning the companies had to pay the government to essentially run a bug program for them.

Alternatively, instead of the carrot, how about the stick?
Penalize companies that refuse to implement secure design/coding practices and penalize them separately if their hardware/software comes out insecure.

Dilbert invented this program (0)

Anonymous Coward | about a year ago | (#43877797)

He and Wally made a fortune. Nuff said

So I recently quit smoking. (0)

Anonymous Coward | about a year ago | (#43877851)

And I've been getting fat. Decreased metabolism is a terrible thing, and as an IT worker, I sit in a chair all day.

Perhaps this is an opportunity for the government to step in and pay me $150k/year so I can quit my job and exercise.

Sure, this idea is absolutely fucking stupid. Just like the one proposed by TFA. Call your Congressman today and demand they give me free money.

Why not just give our tax dollars away? (2)

h4rr4r (612664) | about a year ago | (#43877857)

Instead of this why not just give our tax dollars away to big vendors?

A simple tax giveaway would be cheaper to administer and have the same end result.

Why in the world is this even an option?

God only knows (1)

Impy the Impiuos Imp (442658) | about a year ago | (#43877885)

I'd like to report a bug. I submit my taxes online, but don't get refund checks. Instead I keep getting certified nastygrams.

Clearly there's some major flaw going on.

Good Idea, for some things (0)

Anonymous Coward | about a year ago | (#43877889)

Make it legal to look for vulnerabilities in critical infrastructure systems such as power, water, defense contractors, electricity, government departments, banks. If it's a significant flaw the company's CEO gets financially dinged.

So the flipside of the argument is (1)

GoodNewsJimDotCom (2244874) | about a year ago | (#43877905)

If Homeland Security said,"It is okay, attack our servers, our power grid, and other infrastructure. We'll pay you if you find a vulnerability." Then they can't just haul you to jail if you attempt it. I always thought,"Don't mess with the stuff to begin with" was a significant deterrent for most people. Now, you might say,"Fix it before an enemy of the state uses it for true detrimental means", well then you'd have to argue with brass who have to admit they were wrong all along.

I'm innocent! (1)

frovingslosh (582462) | about a year ago | (#43877911)

What? You say that you caught me breaking into the CIA, FBI, the White House and another unnamed three letter agency? Naw, I was just participating in the Government sanctioned Bug Bounty Program. Proudly helping my country protect itself from evil-doers. If you don't believe that then I declare a fatwa on you and I want my Imam, I mean Lawyer.

Government Bug #1 (1)

BozoForPresident (659559) | about a year ago | (#43877947)

Complete lack of voluntary support - as expounded upon by Marc Stevens (http://lrn.fm/shows/#NSP), Stephen Molyneux (http://freedomainradio.com/), Larken Rose (http://www.larkenrose.com/)... Oh yeah, and Lysander Spooner (https://en.wikipedia.org/wiki/Lysander_Spooner)

Maybe, maybe not (1)

Ol Olsoc (1175323) | about a year ago | (#43878149)

In cases of murder, the first thing the police do is investigate the spouse, especially if they are the one who say, came home and discovered their wife had been killed. They are considered the initial suspect.

I would be surprised if anyone who reported a bug wasn't likewise investigated to see what they might have done right after they discovered it. Seems like a person would be opening themselves up to some possible grief doing this.

oh, wonderful (1)

stenvar (2789879) | about a year ago | (#43878403)

Now companies create crappy software with bugs, and then get government subsidized software security testing.

No way (0)

Anonymous Coward | about a year ago | (#43878969)

Given the reactions of vendors I have reported issues to in the past, even in the absence bug bounties, there is no amount of money that would encourage me to report bugs to government entities. Mozilla's great, but try telling a smaller company (e.g. doing road tolls) that they've got insecure direct object references in their customer web interface and watch the fuckers lawyer-up.

Incitation (1)

manu0601 (2221348) | about a year ago | (#43880231)

If I understand correctly, this is about government doing bug bounty programs for vendors that do not? That looks like an incitation for vendors to not do it, since government will. Except of course if we introduce a tax on vendors that do not have bug bounty programs.

Never happen (1)

rhizome (115711) | about a year ago | (#43881335)

The US Government will never allow a random citizen leverage over it, nor to provide for any obligation to that citizen due to the help they've contributed (ask many veterans).

publishing business? (1)

chrismcb (983081) | about a year ago | (#43882115)

Is the government going into the software publishing business? No? Then why should the government be paying for other corporations mistakes. If anything they should be fining the corporations. Giving the corporations more incentive to find bugs.
We don't need to be finding a way for DHS to spend more money, we need to find a way to get rid of DHS.

Dilbert test-How to tell if it's is a bad idea (0)

Anonymous Coward | about a year ago | (#43884663)

If an idea has already been parodied by Dilbert in the 1990s, it's a bad idea today.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...