back to article We don't need no STEENKIN' exploit brokers: Let's FLATTEN all bug bounties

Security watchers are proposing the introduction of "flat rate" bug bounties by software vendors to try to stop vulnerability researchers from flogging off flaws to exploit brokers or on the black market. They believe that the current situation is bad for security, and means that vulns often end up in the hands of criminals – …


This topic is closed for new posts.
  1. Alister

    Stefan Frei, research director at NSS Labs

    No, go on, really?

    Is he tall, and has a broken nose?

    And can he tell us how the internet works?

    1. Destroy All Monsters Silver badge

      Not the same guy, guv!

  2. Paul Crawford Silver badge

    Sadly what I think is needed are new liability laws that make software and device manufacturers liable for failing to fix disclosed bugs in a reasonable time scale and for, say, five years after the device was on sale.

    I'm looking at, for example you HTC, for your crappy phones with little or no updates, and you, most phone networks, who add all sorts of crapware and then don't pass on any underlying OS bug-fixes because of that.

    And also without causing endless trouble for users by the fix being incompatible and needing a "factory reset". I mean, come on Android (and others) you are using an underlying OS that already supports modular updates and bug fixes (and has done for years and years). Why, oh why, can't you use that mechanism?

    1. Daveho


      The answer isn't more government regulation. The market can figure this out better than the government while keeping costs low and increasing competition. Its pretty simple, don't buy HTC if they're crap. I've had a HTC and I let people know how little I liked it. I've affected probably 20 sales decisions alone. You've probably done more with your one post.

      Let people make their own decisions. More government creates more dependence, higher taxes, and almost no improvement.

      1. Terry Cloth

        Re: Nonsense

        Ah, yesss... you remind me of a chap I once had a conversation with, who claimed the (U.S.) FAA should be abolished. You'd instantly see ratings agencies (like Consumer Reports, or Which?) spring up to tell fliers which airlines killed the fewest passengers. He was either serious or had the best deadpan I've ever seen.

        Of course, those agencies would only have access to the gross numbers, with no way to force inspection of pilots' logs or installation of safety gear, much less require reasonable maintenance levels. But not to worry, Capitalism is our savior.

        There are a number of public goods that are much more efficiently supplied by us all joining together to ensure their delivery (roadways, food inspections anyone?) than by leaving it up to individuals. Think of it as economy of scale.

      2. Tom 13

        Re: The market can figure this out better than the government

        It could mostly, if government didn't already have its fat fingers on the scales. The previous poster has the nut of a decent idea with his 5 year warranty requirement. The other part is to do away with the self-indemnification against these issues that software manufacturers operate under. Make them strictly liable for 3rd party damages if security breaches occur and there are no existing patches. If there is a patch and the user hasn't installed it, let them fight it out in court. In most instances that will still give an advantage to the big corp, but doing it otherwise would create a power imbalance that would destroy the big corps. Like it or not, we need them.

  3. Al_21

    Great news for white hats and black hats :)

    No doubt, the private brokers will start shelling out higher rewards.

    Certainly market failure around this arena which needs to be addressed, but don't think a flat fine is the way to go, especially if its "per exploit found, irrespective of their severity" - ignoring severity/potential damage, number of impacted users and factors required for the exploit to be exploitable seems like it hasn't been thought through.

    1. big_D Silver badge

      And the price of software will increase dramatically... As the software developers scramble to generate funds to pay the bug bounties.

      1. Destroy All Monsters Silver badge

        Well no. They would not be FORCED to pay up when a mysterious call from a stranger arrives.

        On the other hand, they could put money & time into assurance efforts. No more half-arsed coding during the weekend for Internet-facing software by C++11 hackers freshly out of uni, but bill accordingly.

        Or it could come down to: insurance.

        Good processes? Low premiums. Shite processes? High premiums. Fly-by-night? No insurance (but maybe the customer is indeed happy with that).

        It would be like high-reliability engineering, really.

        1. Tom 7

          C++11 hackers freshly out of uni???

          Do they teach C++ even in uni these days? I would have though that was year 6 of a 3 year course?

          1. M Gale

            Re: C++11 hackers freshly out of uni???

            Graduate from LJMU, BSc(hons) in Computer Games Technology. They taught C, and C++, and C# (amongst other languages/toolkits such as Matlab). C# has Mono and Unity3D behind it, and for computationally intensive tasks (like computer games), there really is no substitute for C and C++.

            Well, asides assembly language perhaps, but I'm pretty sure even experienced ASM programmers only drop into it occasionally to optimise a C or C++ routine. Only really saw bits of Assembly language on the course as it related to using PS2 devkits. All I can say to that is "I pity the poor PS2 coders". God that was an awful system. The devkits look lovely though.

        2. Anonymous Coward
          Anonymous Coward

          Or it could come down to: insurance.

          Good processes? Low premiums. Shite processes? High premiums. Fly-by-night? No insurance (but maybe the customer is indeed happy with that).

          Here how it works in real world:

          Good processes: High Insurance. Shite Processes; High Insurance.

          Person footing bill: Customer.

          it's like the 'elf and safety gawn mad syndrome. It's bugger all to do with health and Safety and all to do with massive insurance costs. What will happen is the small players will be wiped out of business by extortionate costs and the large players will battle it via the courts.

        3. ElReg!comments!Pierre

          > half-arsed coding during the weekend for Internet-facing software by C++11 hackers freshly out of uni

          Where it would be an improvement... Copy-pasted PHP with a dash of horrendous java seems to be the norm. Developpment has to go through a committee of non-technical people, charged with putting together a spec. Of course it ends up beeing a mix between Miss Marple's understanding of computers and the latest fake gizmo they saw on NCIS, only even blurrier. They outsource that to the lowest bidder, they usually get a quick-and-dirty rehash of a database frontend the contractor had lying around, and then starts the haggling period (~a year) in which the committee asks for a mod, the contractor applies a dirty patch to make it more or less happen, lathe, rinse, repeat ad nauseam. And then when the committee is satisfied with the Frankenstein monster of a clusterfuck it has become, they call in the tech people and say: "It costs us 250000 so you'd better make it work".

          It's good that we have a zero-tolerance policy about people showing up at work when sick, because if someone was to sneeze too close to the servers on which these horrors are running, Dog knows what would happen.

  4. Pascal Monett Silver badge

    "companies would most likely rather employ full-time vulnerability researchers"

    And I am to understand that that would be a bad thing ?

    How would that keep white-hat searchers from finding bugs ?

    I think that the more eyes are watching the more secure the product will be (except if those eyes belong to the NSA, obviously).

    1. Destroy All Monsters Silver badge

      Re: "companies would most likely rather employ full-time vulnerability researchers"

      Yeah, I am puzzled about this too.

      Is being employed no longer considered a good thing?

      Kujawa reckons a kitemark scheme for federally approved industry seal for software testing would offer an alternative means of weeding out security bugs from the software ecosystem.

      Yeah, FIPS approved and everything. 100% security tested SEAL OF GOVNMTAL APPROVAL.

      The real world just doesn't work that way.

    2. Tom 13

      Re: "companies would most likely rather employ full-time vulnerability researchers"

      Money for salaries is typically treated as an either or thing. The comment implies they'd rather be investing the money in full time employees who than bounties because they presume the full time employee will produce more results.

      The general idea might work, but I'm not sure the dollar figures will. I think unlimited liability for known bugs that aren't patched is a more logical route.

  5. Pete Spicer

    What about those of us that develop for open source web software? Should we somehow try to find that money too? (Not that the open source software I develop for has anywhere near that amount of money anyway)

    1. Anonymous Coward
      Anonymous Coward

      Or even those small software houses writing custom code, that may be their annual profit, for a bug that may only affect a few people.

      And where doe the money come from? The customer. Who else.

  6. b0llchit Silver badge

    "Free" market prices

    Once you set a price, the competition will set another, likely more competitive price.

    $150000 if I sell white-hat, $175000 if I sell gray-hat, $200000 if I sell black-hat. Guess who is getting the next exploit first...

    It would be an arms-race and it cannot be solved with money. Security is primarily an attitude problem and, as with all non-technical problems, you cannot use technology to solve a non-technical problem.

    1. admiraljkb

      Re: "Free" market prices

      My thoughts EXACTLY on it starting an arms race. Many of the exploits for things like Flame and Stux are invaluable. Most Govt's can just up their (off the record) bounty by 25K (of whatever currency floats your boat), and keep doing that all day long. I think this might be a step in the right direction to get rid of many lower level exploits, and it could get a whole lot of new folks trying to find security bugs for a quick payday, but the BIG security defects will still mostly end up in the hands of the folks with lotso cash.

      1. Charles 9

        Re: "Free" market prices

        So that brings up a new problem: How does one encourage people to turn in bugs like a white-hat when the opposition is a type for whom money is no object?

  7. Anonymous Coward
    Anonymous Coward

    "federally approved"

    Yeah right. Try that again when the US of A have regained some credibility.

  8. ElReg!comments!Pierre

    The amount is not the problem

    You can get into really serious problems for discovering a vuln and letting the vendor know about it. The problem is not about Google paying too little for bugs, it's about the gazillion other firms willing to set the legal dogs on anyone suggesting their stuff may be less than perfect. has a non-exhaustive list of such behaviours:

    This "uniform reward" thing is stupid; most hackers I know aren't in it for the money anyway, a step towards protection against revenge lawsuits, and perhaps not being considered a threat to national security, would help much more.

  9. YetAnotherLocksmith Silver badge

    So there would be a race between the employed bug hunters and the rest of the world? Sounds like fun.

    Further, I can see issues with bugs being hidden then "found" for $150k a time by friends of those working on the code.

    "Anyone want to go halves?" would become a common refrain.

    1. Michael Wojcik Silver badge

      Further, I can see issues with bugs being hidden then "found" for $150k a time by friends of those working on the code.

      That's only one of the ways to game the system. This "regardless of severity" proposal creates an enormous perverse incentive.

      Anyone who's looked at any of the many relatively-complex security holes published over the last several years - such as most of the Java ones from Gowdiak / Security Explorations; or the BEAST, CRIME, and Lucky 13 attacks on SSL/TLS; Koret's TNS Poisoning attack against Oracle; Kanthak's series of "Defense in Depth" attacks on Windows; Ormandy's near-legendary Windows #GP trap exploit - knows that the best vulnerability research, the kind of research that's used to develop APTs and the like, produces exploits that rely on a series of vulnerabilities. Rather than turning the whole thing in as a coherent, end-to-end demonstration of a security hole, a researcher could break such an exploit up into its components and get multiple payouts.

      It's also an incentive for corporations to deny or minimize the importance of vulnerabilities: "If we publish a notice of or fix for this, we'll have to pay a bounty". And regardless of the "small percentage of total sales" calculation (which only applies to very large organizations, obviously), externalities are a very tempting target for cost-cutters. When a development unit is told "cut your bounty payouts or cut headcount", guess which way the knife will turn?

      Others have noted how this is completely unreasonable for small software publishers. And what about free-as-in-beer software? Who's paying the bounty for vulnerabilities in phpMyAdmin, say?

      Bounties are useful to provide an incentive to do the right thing. Trying to outbid prices for the wrong thing is pointless - the payoff matrix is heterogeneous. People inclined to report vulnerabilities responsibly are unlikely to be swayed either way by financial calculation.

  10. bpfh

    150k flat rate?

    OK, so who can afford to pay a bug bounty at a flat rate that exceeds several years total net turnover for some small businesses?

    Thing is, those small businesses are more likely to invite you round for a beer or three if you find anything whereas some large companies (Apple I'm thinking of you) will invite you to a lawsuit instead...

This topic is closed for new posts.

Other stories you might like