"Given enough eyeballs, all bugs are shallow," is the famous observation by software developer Eric Raymond, in a nod to Linus Torvalds, developer of the Linux kernel.
The truth of that statement, dubbed "Linus's Law," is evident with the growing number of bug bounty programs. Consider the following:
- Netflix, for one, recently announced it was launching a public bug bounty program on the Bugcrowd platform after the success of a private bug bounty program it ran in 2016 with 100 Bugcrowd researchers. To date, Netflix has invited over 700 researchers to participate and has received 145 valid submissions.
- In response to growing concern over hacking in the open source community, bug bounty platform HackerOne operates a nonprofit that supports open source projects called the Internet Bug Bounty. The program uses "friendly hackers" to uncover flaws that "have helped improve the security of the internet." HackerOne claims to have paid out $695,000 in bounties to 171 friendly hackers for uncovering 732 flaws.
Bug bounty programs reward individuals for finding and reporting software bugs and are increasingly becoming a core part of an organization's vulnerability management strategy. The prevalence of such programs has created vulnerability management service opportunities for channel partners, who can weigh in with forensic and remediation services to determine whether a bug is legitimate and then fix it.
Vulnerability management service: NCC builds a bug bounty practice
IT services firm NCC Group launched a global bug bounty services practice in 2015 but has been offering bug bounty and vulnerability disclosure-related services since 2011. The firm helps with technical triage and remediation.
"From our early experience in the trenches, we saw the potential of bug bounty and formed a dedicated practice focused on this space," said Adam Ruddermann, director of bug bounty services at NCC Group. Initially, the firm offered bug bounty services on an ad hoc basis "to clients who discovered that a bug bounty process actually created a large volume of work for their internal teams that they were unable to deal with."
NCC's bug bounty services offering has grown into a full practice that allows clients "to utilize professional, skilled security consultants to undertake triage services in an efficient way, reducing the burden on internal teams" while providing information to the research community, he said.
The firm's Bug Bounty Services Practice offers consulting to build and improve the scope of existing programs, internal processes and researcher outreach initiatives, Ruddermann said. On the technical side, NCC Group offers multiple levels of report triage ranging from basic filtering review to source-code-enabled triage and remediation services.
Bug bounty programs are not new; they have been around for over 20 years, from the time Netscape began offering cash rewards in 1995 to anyone who found bugs in its software.
Today, there are firms that specialize in forensics and fixing software bugs, given that many companies "don't have talented enough people to fix bugs," noted James Stanger, chief technology evangelist at CompTIA.
That's how NCC got started. Initially, clients were asking the firm to augment their software teams "as they struggled with the volume of bugs that were being submitted, many of which were not genuine but still took time to consider," Ruddermann said. "This was opportunistic and expensive for clients who were essentially buying consultants to work full time in triage support."
That prompted NCC Group to offer a more complete vulnerability management service that lets clients "subscribe to our pool of expert consultants with a different commercial engagement model that made the relationship much more sustainable," he said.
Adam Ruddermanndirector of bug bounty services, NCC Group
Some industries, like finance, are still learning how to safely and effectively use the security researcher community in highly regulated environments, Ruddermann noted. "We do expect to see vulnerability disclosure and bug bounty programs become the norm as companies invest more resources into building comprehensive product security programs."
NCC Group's goal is to help companies "build thoughtful and comprehensive product security programs," with bug bounty being just one component. The firm typically starts by understanding the client's goals, products and experiences with the researcher community.
It then works with the client to build security program rules, set accurate scope, determine pricing and provide rules of engagement for the researchers, he said. NCC Group also helps clients determine which bug bounty platform they should utilize for their program.
Once a bug bounty program is launched, NCC Group will "triage reports as they come in, so the client only sees valid bugs, just like a [penetration] test." The firm also provides remediation if the client is looking to build or improve its existing vulnerability remediation program.
Launching bug bounty programs
Companies should do their due diligence before launching bug bounty programs, Stanger said.
"A lot of people think a bug bounty program is the wild, Wild West and open to anybody -- and it kind of is," he said. Usually, however, companies that have implemented a program "have done a considerable amount of threat modeling, so they have a pretty good idea where the threats will be, and they have a prep team to respond to those bugs." They also can tell what is and what isn't a real bug, he added.
"A bug bounty program is more than putting up a page with code. You have to have really good people who can act on and interpret what they're seeing," Stanger said. "They need to be able to handle the input."
There have been a lot of cases where companies were shown a bug and couldn't act on it, he maintained, "so they'd actually offer to pay a person to stay quiet about it, and that's not part of a program at all. We can no longer afford security through obscurity; hide the code and hope the bad guys won't find it. The tools they have are just too good, so why try to keep code secret? Let's put it out there for everyone to see."