Find My Flaw … Please!
This is the idea of many industry leaders in the United States as the “bug bounty” era has hit full swing. The likes of Uber, Apple, and even United Airlines have enticed security professionals, and hackers, to seek out and identify their “weaknesses” within their cyber arena. They have begun offering money, and even airline miles, as “bounties” when weaknesses and vulnerabilities are identified and shared with the company.
Bounty Programs: The Pros
The idea behind this strategy is fairly solid: The more who look and analyze potential vulnerabilities allows for more to be identified. Companies are eliciting the help of some of the world’s top hackers and security specialists to conduct vulnerability tests of their cyber space. The protection of personal information has been a top risk strategy for many companies, especially following the leaks of information by Target in 2013, Sony in2014, Ashley Madison in 2015, and many others.
Bounty Programs: The Cons
Companies are eliciting the help of some of the world’s top hackers and security specialists to conduct vulnerability tests of their cyber space. Sounding like a broken record here, but this can be seen as both a pro and a con, as there is no way to only elicit legitimate researchers and not black hat hackers.
It has also been seen, even with legitimate security researchers, that neither group fully follows the guidelines set forth by the probed company and often dig deeper into the workings of the systems than originally asked.
Is it Smart to Entice?
While there are split feelings on the efficiency and effectiveness of the implementation of the bug bounty, there is one thing which is frequently agreed upon -- the probes often go much further than asked.
This was seen most recently when a legitimate researcher who probed and found many weaknesses within Instagram's cyber-space. The researcher managed to gain access to enormous amounts of personal data as well as administrative login and passwords.
Instead of reporting this vulnerability to Instagram's parent company, Facebook, immediately, he took it further and began running secondary weakness checks and even found the source code to Instagram. This could not only be detrimental to the people whose data was accessed, but also economically to Facebook.
Do Bounties Work?
This will only work if the information gained is acted upon immediately. As noted at the beginning, United Airlines has joined the bug bounty crusade, offering airline miles, recently awarding 1 million air-miles for the finding of nearly 20 weak spots as rewards for responsibly disclosed bugs.
United Airlines stated that they take the safety, security, and privacy of their customers seriously. Yet, one of the bugs found allowed the finding researcher the ability to gain access to flight manifest, personal information of passengers, credit card information, and even the ability to change/cancel passenger’s flights. After submitting the information to United, it took over six months, and a threat of releasing the bug to the public by the researcher, before it was fixed.
Hey @united, 6 months for a critical vuln is beyond reasonable. Public disclosure is planned for 11/28.
— Randy Westergren (@RandyWestergren) November 5, 2015
Is this acceptable? Is this practice even something which should be utilized, especially in critical infrastructure as airlines?
“Never open the door to a lesser evil, for other and greater ones invariably slink in after it.” – Baltasar Gracián