back to article I won't bother hunting and reporting more Sony zero-days, because all I'd get is a lousy t-shirt

Hunting for exploitable security bugs in software is not an easy way to make a living, and vulnerability researchers say vendors who don't pay out for reports are making life even harder while putting their own products at risk. Such was the case with João Figueiredo, a researcher in Brazil who tracked down and reported remote …

  1. Anonymous Coward
    Facepalm

    Or....

    Companies are afraid that offering large sums of money would attract more attention to exposing their incompetence !

    1. Anonymous Coward
      Anonymous Coward

      Re: Or....

      Better than the other way of exposing their incompetence* which is to have all their customer details stolen or their website brought down. I know which I'd prefer.

      *Incompetence is a little harsh, I suggest. All software of any size has bugs and vulnerabilities, doesn't matter who you are or how good your programmers are - nearly all are human after all. I would suggest that the security teams for many companies would have a say over bug bounty programs and these very teams are the ones who don't wan't to attract large scale attacks on their systems by researchers which may or may not decide to claim a bounty via the official route if they find something significant.

  2. JustWondering
    Meh

    A little shortsighted

    These companies may want to consider that someone skilled enough to find these vulnerabilities may be aware of other ways to benefit from their knowledge.

    1. Shadow Systems

      Re: A little shortsighted

      If the ethical bug hunter finds a bug, properly reports it, & gets nothing from the folks it was reported to, then the ethical hunter will stop hunting for your bugs & go elsewhere.

      The unethical hunter may start by letting you know & expecting to get paid, but getting rebuffed (or given swag as an insult), then the unethical hunter will instead turn to selling said bugs on the dark web hacker fora. You don't pay them then perhaps someone else will & not for very nice purposes.

      If you ask mechanics to review your car & make sure it won't go up in flames, then refuse to pay them for their time, the honest ones will refuse to do business with you in the future & the dishonest ones will "find nothing wrong" to your face & promptly take full advantage of any flaws they DO find.

      Don't insult them by offering swag, pay them what their efforts are worth. You pay them, they'll keep hunting for bugs, & your product will become safer/more secure as a result. Insult their intelligence & they'll still find the bugs, they just won't *tell you* about them.

      1. Blank Reg

        Re: A little shortsighted

        Your analogy doesn't work, they weren't asked to find vulnerabilities. It would be as if a mechanic walked up to your car to do an inspection that you never asked for and then demanded to get paid.

        1. GnuTzu
          Stop

          Re: A little shortsighted

          "It would be as if a mechanic walked up to your car to do an inspection..."

          O.K. but, it's by regulation that inspections and emissions tests are mandated (under various circumstances).

          And, when (or if) we get self-driving cars, are their going to inspection requirements to make sure the code is appropriately patched to insure that other cars and passengers on the road are not endangered.

          The more that we come to depend upon software, the more there will come to be a mandate for safe software that does not endanger others. It will be interesting to see what happens to the bug-hunting market then.

        2. Spazturtle Silver badge

          Re: A little shortsighted

          No it's like a mechanic walking up to your car and informing you that your breaks are faulty and then you demanding he tell you exactly what the problem is without paying him.

          1. doublelayer Silver badge

            Re: A little shortsighted

            A completely accurate analogy is hard, but it is something like if a mechanic approached me and informed me that my car had a serious fault with it, and explaining why. Depending on the details, I might not care that much or I might be very interested in the risks. In the latter case, I'd be grateful that I was able to avoid the negatives and I would offer said mechanic some recompense for the useful service they provided. In the other case, I'd not do very much. However, it sounds as if the bugs found were considered very important, so a shirt, which is the equivalent of a thanks from me, seems less than justified..

        3. keith_w

          Re: A little shortsighted

          If there is a bug-bounty program of any sort, even swag, then you are asking someone to step up to your car and tell you what is wrong with it.

    2. Michael Wojcik Silver badge

      Re: A little shortsighted

      Bug-bounty programs are difficult to structure, manage, and budget for. With large organizations it's extremely difficult to accurately estimate how many unsolicited reports you'll get from outside researchers over a year. The value of a report is difficult to determine: computing metrics such as CVSSv2 or v3 scores is rather subjective, the security sensitivity of the product and exposure to customers has to be taken into account, the development team may claim to have been aware of the issue already, and so on.

      Sometimes you get multiple reports from independent reporters. Sometimes reports are simply incorrect, or refer to old product versions which are no longer supported, or only apply to configurations which are specifically documented as insecure.

      With a large organization, getting agreement on bounties across all units is difficult. Should all products have similar bounty structures? What about reports for vulnerabilities in public-facing websites? Or in infrastructure? To get any sort of consistency you need clear direction from the C-suite level.

      Often a PSRT can quite easily get approval for swag, but getting a bounty program in place can take years of lobbying top executives. You do what you can.

  3. Anonymous Coward
    Anonymous Coward

    I quit reporting vulnerabilities years ago - it's hard to get anyone to listen to you - most of the time you are ignored.

    1. Anonymous Coward
      Anonymous Coward

      And some big companies just don't listen or have an interest.

      We got DOSed by Google 2 years ago. Probably a poorly configured server in their California server farm. It was pushing 100mbps down our 10mbps pipe.

      Emailed the abuse and webmaster addresses as a first step, both got an automated reply saying that they get some many abuse reports that they never read any emails going to those accounts...

      Tried phoning them, but after being pinballed back and forth through their automated phone system, the best information I could get was to check the Google website for the relevant category (they don't have a page dealing with being attacked by Google), before the telephone system tilted and kicked me out.

      Tweeting Google, pleading with them to stop DOSing up didn't bring any response either.

      In the end, we got a 30 day block at the ISPs perimeter. We were in the middle of moving anyway, so we just abandoned the old IP address and moved over to a new one at the new provider.

      1. ibmalone

        I hear injunctions are a thing :)

    2. This post has been deleted by its author

    3. sitta_europea Silver badge

      Quoting Anonymous Coward:

      "I quit reporting vulnerabilities years ago - it's hard to get anyone to listen to you - most of the time you are ignored."

      You're absolutely right AC, my experience is exactly the same, but I still go on reporting. For example I've been reporting to Exertis, British Gas, the BBC and the DVLA, all for over a year. Nowadays though, as they've ignored me, I just like to drop the names...

      Ooooh - I forgot to mention The Register! (Guys, see my mail sent to you at 18:37 on 15 Sep 2017.)

      1. Doctor Syntax Silver badge

        "see my mail sent to you at 18:37 on 15 Sep 2017"

        Or in my case 11:57 11 Oct 2018.

    4. Anonymous Coward
      Anonymous Coward

      In that case, you *do* report them... to the press.

      But only after making sure you have your back very well covered, and they can't find out who you are.

      Sadly, as we know all too well from experience, many companies not only don't care about such things, they strongly dislike being made to look bad and will actively attempt to have those reporting such vulnerabilities portrayed and/or prosecuted as "hackers".

      1. Doctor Syntax Silver badge

        will actively attempt to have those reporting such vulnerabilities portrayed and/or prosecuted as "hackers".

        Years ago, when open FTP was still a thing (don't tell me it still is) I went onto a download site - a Norwegian Universtiy IIRC - and realised that I'd just cd ..ed past my original access directory. And then realised I could keep going. Maybe to / if I'd tried.

        Maybe I should let them know. Maybe not. I decided "not" would be easier.

  4. JLV
    Trollface

    Oh, come on, stop picking on Sony.

    It’s not like they’ve ever been hacked. Or ever put users at risk by using rootkits.

  5. doublelayer Silver badge

    Really? A shirt?

    Here's a question for you. Have you ever been excited or even generally pleased about a free shirt from a company or event? For me, they've ranged from "Well, now I have another shirt" down to "Well, now I have another thing to wear if I decide to paint". That's without considering the possibility that I might not want someone else's logo displayed on my person. Of the many really cheap things you can make a bunch of and give to people, most are more generally useful.

    Oh, and the bug finders don't need more shirts, people. I thought you could figure that one out. They've saved you the time and money it would cost to find the bug yourself or to deal with whatever problem would occur if someone else found it and sold it on the dark web. Show them some respect by giving them a small amount of that.

    1. 404

      Re: Really? A shirt?

      My Microsoft Internet Explorer 3.0 Midnight Madness t-shirt - I was very excited to receive that one lol. Four downloads over a 56k modem, three eventually failed, no auto-resume... yeeeah... Have a Netscape Communicator one I'm pretty fond of too.

      That being said, most of my wardrobe consists of free tshirts from various companies, but I don't have to work for them - you have to pay to make me look at your network. Til then, don't care. No time.

      1. Acme Tech Support

        Re: Really? A shirt?

        Still have my Windows 2000 System Builders t-shirt around somewhere..... Covered in paint and oil....

        1. Yet Another Anonymous coward Silver badge

          Re: Really? A shirt?

          >Still have my Windows 2000 System Builders t-shirt around somewhere..... Covered in paint and oil....

          I think you might ave been building it wrong.

          Or I'm parsing it wrong and MS delivered a version of their best OS for the construction industry - did it come with a bum crack ?

    2. big_D
      Coat

      Re: Really? A shirt?

      Well, it was better than the root-kitted USB stick he could have received...

      Mine's the one with the USB stick I found in the carpark in the pocket.

    3. Korev Silver badge

      Re: Really? A shirt?

      I used to live with a primary school teacher, any free shirts were given to her for her pupils to paint in

    4. Anonymous Coward
      Joke

      Re: Really? A shirt?

      "I reported a security vulnerability to $corp that saved them from being fined 4% of their global revenue and all I got was this lousy t-shirt."

      Hmm. Could be snappier.

      Maybe send the shirt back and ask for underpants?

  6. Anonymous Coward
    Anonymous Coward

    The shirts can be trouble.

    I once did a consulting stint for a large company with a famous name & easily recognizable logo. They gave me a company shirt as a thank you gift. I thought nothing of it at the time, tossed it on the pile of all the other shirts, & ignored it.

    Fast forward a year or so & I'm no longer working there, but I still had the shirt. I'm wearing it on a day off (because it was a nice & warm shirt on a chilly day) and walk into a local electronics mega store. I get grabbed before my eyes have adjusted to the light & someone is howling at me "It's about damned time! We've got a real shit storm headed our way & it's all your fault!"

    I politely extract myself from their clutches & ask them WTF. It turned out that they thought I worked for said company *because I was wearing an official company shirt*. I explained that I didn't work there, I merely had the shirt.

    It turned out that the store was having serious server issues & had called in a scream for help from the company. They thought *I* was the rep sent out by the company to help them. Had I felt like being a right bastard I could have pretended to be said repair tech, gained access to their servers, & caused such destruction that the store might never have recovered. Instead I told them the truth. They were confused, annoyed, then sheepish. I was given a ten dollars off coupon in thanks that I had *not* pretended to be what I wasn't. The real rep arrived while I was still beside the door being grilled by the manager. The real rep looked confused. "Are you here from $Location office? I'm from $OtherLocation."

    I explained the situation, that I was just a regular guy that once worked for the company & still had the shirt. The real rep laughed, nodding his understanding, & scampered off with the manager to get shit done.

    Don't hand out official company shirts to folks if you aren't sure those shirts won't be improperly used. All it takes is one case of mistaken identity & your company might find itself up to the neck in repercussions. =-|

    1. David 132 Silver badge

      Re: The shirts can be trouble.

      I once did an event for my company where the uniform they gave us for the day was a bright orange polo shirt. I made the mistake, on my way home, of stopping at Sainsbury’s to grab some groceries. What is (or was at the time, I’ve not been in there in years) their corporate colour? Yes.

      I got asked by so many people for help finding things (“Do you have this bean lard mulch with vitamins?” “Do you have smaller spoons?”). If I were in a bad mood I could have caused so much damage to their customer service reputation that day...

      1. CAPS LOCK

        “Do you have this bean lard mulch with vitamins?”

        Not surprised, I can never find that either. Where do they keep it then?

        1. Flakk

          Re: “Do you have this bean lard mulch with vitamins?”

          It's down the aisle from the almond whisky and the kale-infused water.

        2. David 132 Silver badge

          Re: “Do you have this bean lard mulch with vitamins?”

          @ CAPS LOCK

          It was a subtle attempt at a Don Hertzfeld reference. Now I feel Rejected.

      2. Kubla Cant

        Re: The shirts can be trouble.

        You don't even need an orange shirt. Once upon a time we all wore suits to work, but not many suit-wearers went to the supermarket*. I've been taken for the Manager** more than once.

        * In the sticks, that is. Probably different in a city.

        ** Perhaps I used to buy the sort of crap suit that a supermarket manager would wear.

        1. Yet Another Anonymous coward Silver badge

          Re: The shirts can be trouble.

          Some street theatre group did that with BestBuy in New York

          They dresses people up in blue polo shirts (without logos) and khakis and had them walk into the store a few at a time until the store had 100 apparent employees.

          It got even weirder when the police were called and tried to work out who/what/why to arrest

  7. Nolveys
    Headmaster

    This story makes no sense...

    ...how does one install a root kit on a shirt?

    1. Korev Silver badge
      Coat

      Re: This story makes no sense...

      Don't worry, you'll cotton on soon

    2. David 132 Silver badge
      Coat

      Re: This story makes no sense...

      Switched fabric, of course.

      1. Will Godfrey Silver badge
        Linux

        Re: This story makes no sense...

        I'm not sure I like the way this thread is going

        1. Bill Gray
          Coat

          Re: This story makes no sense...

          "I'm not sure I like the way this thread is going"

          Yeah, it's sew seamy. There's something about it I can't pin down.

          OK, I'll zip it now... didn't mean to needle anybody.

          1. David 132 Silver badge

            Re: This story makes no sense...

            Bill Gray

            Darn it. Now you’ve made me all crochety.

  8. Anonymous Coward
    Anonymous Coward

    Might have been worse!

    They could have sent him 2 SONY T-shirts!

    1. Tigra 07
      Facepalm

      Re: Might have been worse!

      In the wrong size...

  9. random robbie

    Not the first

    I've had Aws keys for Sony myself due to a ssrf.

    Their tshirt swag is abismal so it's why I don't hunt.

    They got the money to pay up.

    I've also given a friend a SSRF to report to Sony so he could get their bad tshirt.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not the first

      Why would you want your friend to advertise a company (via his t-shirt) that you don't have much respect for anyway? It's not like t-shirts are worth that much in themselves...

      Unless he uses it for DIY et al for years until it looks dreadful (like my Dad's ancient "Amersham" sweatshirt) then goes around wearing it in public, making Sony look bad by association. :-)

  10. steviebuk Silver badge

    And this....

    ..is why the Sony Pictures Hack happened. Cause they simply don't give a fuck.

    Cocks.

    I got offered free magnets from a very small online store, years ago that wasn't using HTTPS on their store page & I wanted to order from them due to being the only ones that sold the tiny powerful magnets to stick in models :)

    Free magnets. Great.

    Anyway. Others I've reported I've just been ignored but then seen them fix said issue a few days later. Another company replied back quite defensive who, it was clear, had been running unsecure for years from the previous owners. And local gov and other small companies use this site! They've fixed some of the reported issues but not the rest and then stopped replying to my e-mails. And the biggest one that was ignored was Twitter. I reported to them years ago, once signed in, if you went to reset your password, their code would sometimes push you to a http page instead of https. I reported it, was totally ignored so I disclosed the issue on YouTube. A tech and security journo picked the story up and they listened to him (I'd never heard of the guy, I just happened to come across his blog post one day) and he put in a mention that I'd reported it and been ignored.

    I don't really bother much now.

    1. Joe Harrison

      Re: And this....

      I reported similar to Tesco once (they forgot https on one route to card payment) and they sent me a nice thank you note and a five quid voucher. Mind you this was in the 90s when a fiver actually meant something.

      1. Anonymous Coward
        Anonymous Coward

        Re: And this....

        It was acceptable in the 90s.

        It was acceptable at the time.

  11. JDX Gold badge

    It's 2019 and...

    ... you don't need to put what year it is in the title.

  12. Michael Strorm Silver badge

    Free exposure but no payment for The Oatmeal, ironically

    "Payment? Never mind that! You're doing it for the exposure^w cheap t-shirt!"

  13. Claverhouse
    Angel

    One's True Reward is in Heaven

    Money goes, but a T-Shirt is forever.

  14. Stretchoman

    Where's the inspiration?

    It still shocks me that a large number of rewards on Bug Bounty lists are nothing but 'Hall of fame' or 'Swag', or neither at all. It's genuinely insulting to people that have spent time (and often money) learning these skills, only to be rewarded with a T-shirt or mention on an unadvertised web page. Why would anyone want to find a bug in your system or code just to be condescended by unenthusiastic "rewards".

    I understand that some people do it for fun, and that is fine of course, but companies offering no genuine reward for help potentially saving them millions are probably the same ones that expect employees to pay for their own coffee in the office.

  15. N2
    Coat

    This is really tight

    Couldn't they offer something by the backdoor to avoid publicity?

    Coat.

    1. doublelayer Silver badge

      Re: This is really tight

      There could be a lot of benefits in having publicity. Don't publicize the errors much, just say that they were fixed, and the person reporting them got $large_amount_of_money from you. That attracts others to try to find vulnerabilities in your system so they can get $large_amount_of_money too. Not that you always pay them a large amount--that depends on the scale of the bugs they found for you--but if the bugs were indeed critical, they deserve it and you can use it.

  16. Potemkine! Silver badge
    Holmes

    "Many of the companies that claim to be concerned about the safety of their consumers are, in fact, not."

    What?! PR would be lying to us?! I'm shocked!

  17. jonfr

    Sony - Never buy

    Based on my experience with Sony Mobile and Sony Bluetooth I am never going to buy their hardware again. Its buggy and unstable. I am not surprised to read about this reaction about when bugs are discovered. At best, Sony Mobile fixed a bug that resulted in a crash when the Wi-Fi interface was in Icelandic on Android 8 on Sony Xperia XZ Premium. Other bugs (unstable Wi-Fi) were not fixed.

    1. Andrew Moore

      Re: Sony - Never buy

      My boss got a Sony Vaio many years ago, and the motherboard blew on it. Thankfully it was within the warranty period. The downside was the boss had been storing all his photographs on it, in a non-backed up area. Next problem- the hard drive was not accessible without dismantling the machine (first for me). I rang Sony support (after paying for the privilege) to be told by a passive aggressive little shit, that I was to backup any data before returning it to them as the drive would be blanked; and that opening the machine to get at the drive would void the warranty. I kept pointing out that the motherboard was fried, but he just kept repeating about backing up and voiding the warranty.

      In the end the boss decided that the photographs were more important. And he also issued a decree that the company was not to buy any more Sony products.

      1. Anonymous Coward
        Anonymous Coward

        Re: Sony - Never buy

        Your boss is a $@% - any idiot that does not back up stuff deserves to lose stuff. Any puter can suffer a failure and laptops often need to be pulled at least partly apart to get the hard drive. If you can't afford to lose it, and you don't back it up, cry quietly in the corner somewhere.

  18. cdrcat

    I found a vulnerability this week

    I found a corruption similar to CloudBleed while tracking down a race condition with our SPA communications. The problem was most likely caused by an obsolete Cisco web appliance, but some chance it was IE11, and a small chance that it was CloudFlare.

    CloudFlare use HackerOne but don't seem to offer a bounty from what I could tell.

    Why would I waste time tracking down the root cause without getting paid? I get paid in my job to find bugs, and fix them. I don't do it for free, and I certainly don't need kudos or T-shirts.

    So the vulnerability is not notified - everyone loses.

  19. Anonymous Coward
    Anonymous Coward

    Oh, that reminds me.

    I have some idiot continually trying a dictionary attack on one of my servers, and I get zero response from their ISP or the one upstream. Their problem: they're in Europe, so I'm collating the logfiles and then send it on to the local police.

    And filter out that IP address, of course.

    F*ck em.

  20. 9Rune5
    FAIL

    Safety of the consumer

    "Many of the companies that claim to be concerned about the safety of their consumers are, in fact, not."

    Wait, shorely Sony is not on that list? They care, they truly do.

    I'm certain of it.

    https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal

  21. Caver_Dave Silver badge
    Coat

    Grrr!

    It is getting increasingly hard to buy clothing without company logo's on them.

    I'm sick of it!

    If you want me to walk around in a shirt advertising your company, then you can bloody well pay me to do it - I'm not going to pay for the privilege.

    Mine's the coat with no logo on it!

  22. Aodhhan

    Companies don't do anything which isn't in writing

    Look... if a company doesn't have a published policy for bug bounties, then you aren't likely going to get anything but swag--if that.

    The InfoSec organization in the company doesn't have funds set aside for bounties, and they can't just give money to someone--even if they want to.

    So if you're trying to make a living doing this, then search for those businesses with a published bounty policy.

  23. shawnfromnh

    As he sits at his computer in a Sony tshirt, a young man who feels he's been screwed post on the dark web many weaknesses in the Sony website he hadn't disclosed yet. Sony I hope someone reads this because it can happen. They might not hack you but instead pass the gun to someone who without hesitation will hack your site and do other things if their is a way from the site to other parts of Sony. Hell letting loose a crypto program so the server is all but bricked might make them put a few thousand out of their tightwad wallets to actually show a bit of gratitude to the people that are doing this great service for them and not spit on them by sending them marketing materials. Only a stupid person would think that was appropriate. Hell if not cash send them at least the latest PlayStation or are you to cheap for that. Well when they get hacked so big their website is down for days or even weeks then they'll pay more for what they should have paid up front.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like