Bug bounty programs may not be the most obvious solution to internet-of-things vulnerabilities, but they could be an indicator of vendors willing to do whatever it takes to keep “things” safe.
Rebekah Brown, threat intelligence lead, and Tod Beardsley, director of research, both at Rapid7, sat down with SearchSecurity in November at Rapid7’s UNITED 2016 event in Boston, and they shared their wide-ranging opinions on the pursuit of information security.
In this second installment of our conversation, Brown and Beardsley cover a lot of ground, from the actual risks involved in configuring “things” and the potential value of choosing IoT vendors based on whether they have bug bounty programs.
See the first part of this Q&A here.
This transcript has been edited for clarity and length.
Let’s talk about vulnerability disclosure. Google found a zero-day in Windows, and Microsoft said, “It was the Russians.” Are we figuring out a better way to do disclosure — whether it’s responsible disclosure or coordinated disclosure? And how do we do it in a way that is fair for everybody — for the users, for the vendors and for the researchers?
Tod Beardsley: Well, I think it’s not even so much the story of how the disclosure went, but how the patching is going. Where are the mitigations? What’s your short-term mitigation? What’s your patch schedule? That’s a problem we run into a lot.
I’m not going to blame anybody for shipping bugs. I have written software; I write plenty of bugs. Some of these bugs are going to be security issues. This is how we develop software today. If your strategy is, ‘Well, just don’t ship bugs,’ you may as well say, ‘Your strategy is to first change human behavior.’ And that’s not going to work. I promise you.
I do think we are getting a lot better at it, and I want to emphasize that, because I handled a lot of the vulnerability disclosure — basically all of the outbound vulnerability disclosure — at Rapid7. And I used to get a lot more either silence when I would tell someone about a vulnerability, or angry letters on lawyer letterhead. I get far fewer of those today, and this may be totally anecdotal, but I don’t think I’ve run into that this year at all, yet.
So, I am very happy with where things are going. I think companies, even small Kickstarter projects to Johnson & Johnson, are across the board just raising the bar of how we deal with security researchers, where they come knocking and tell you about a bug. It’s gotten a lot more normalized.
I think a lot of that is due to the [bug bounty programs] that have cropped up. You can have opinions on the efficacy of bug bounties, but at the very minimum, they’re setting up an environment where it’s OK to talk about this. We live in a culture of ‘see something, say something,’ and for a long time, that did not apply to the internet. If you saw something and said something, you would get an angry lawyer after you. And that happens a lot less often. So, I’m very happy about that.
Rebekah Brown: And I think we’re seeing a lot more situations, as well, where the vulnerability disclosure is like the example you gave. It isn’t that somebody found it; it’s that somebody saw an attack. They saw somebody else exploiting it and were able to understand what had happened and report that.
And I think those are critical situations where we need to have very good coordinated disclosure, as well, because there is a definite threat from those vulnerabilities. And the faster you can get the patching … let’s get the patches out there. What are the hotfixes we can do in the meantime? What are the things to be watching for while you’re trying to go through this process of an out-of-band patch or an expedited patching schedule? Because there is a significant threat associated with that vulnerability. And I think a lot more people are showing up to do that type of research, as well. So, we’re going to start seeing that situation more.
So, how about those bug bounty programs? What should we know about those and how they’re working?
Beardsley: I’m conflicted. Bug bounties are often set up with [the understanding that] here are these things that are in scope, and these are things that aren’t [in scope]. So, that’s the first strike against [them], because the bad guys don’t care about the things that are in and out of scope.
If I’m an attacker and I’m targeting some company for some reason, I’m going to sidestep everything that you think you care about. Tod Beardsleydirector of research, Rapid7
If I’m an attacker and I’m targeting some company for some reason, I’m going to sidestep everything that you think you care about. I’m going to go after your home router, the CFO. That’s going to be a softer target. It’s going to give me tons and tons of access to your internal workings and, I guarantee, the CFOs don’t matter. It’s not in scope for any bug bounty on earth.
On the other hand, people should get paid for what they do. There are bug bounties set up now that don’t give money. They give props and kudos and T-shirts, which I think may be as effective — or more effective — than just straight paying for what comes down to volunteer ad hoc [quality-assurance] work.
I think there are a lot of interesting ways to do it. I think it’s evolving and shifting rapidly — the fact that we have two or three real name-brand companies in this space tells me that there’s a lot to come.
I, at one point, was very solidly against [bug bounty programs], and that happened to coincide with the time when I was working at an open source exploitation development framework that we required free information. Turns out, we’ve never paid for bugs for Metasploit … I cannot think of a single instance in the 15, 16 years of Metasploit that we’ve ever done that. But it’s really interesting how things are evolving now.
Brown: Yeah, I think it’s a good avenue. I think that if you have somebody who has discovered something, again, through kind of an ad hoc [QA] process, it’s great when there is a way for them to communicate that and high fives, kudos, money … get something for it. … I know a lot of people talk about, ‘Well, you can get more money selling it on the black market than doing a bug bounty.’ But Tod and I can go rob a bank right now and make a lot more money, and we still show up to work every day.
Beardsley: There’s tons of money in kidnapping, too.
Brown: Exactly. We should talk about that one. But, no, that is true and you can make more money there. But it’s a crime, and so I’m hoping that it’s a good turn for some people. And that there are a lot of people who are still are interested and feel compelled to find things like this, and I think it’s really good for them to have a way to communicate that.
Beardsley: And if an organization has a bug bounty setup, this is a really strong signal that they are very mature. They have gone through all the heartache. They’ve talked to their legal teams.
They’ve probably talked to me, and that’s why they now have one. And I think it’s a really strong signal that that company is taking security seriously on the development side, on the deployment side. They have a patching system.
So, if I were to buy an [internet of things] thing, and my two choices were from a company that had [a bug bounty program] and one that didn’t, I’m going to go for the bug bounty company every single time. Because I know that they take it seriously, and I know that on the day that they have bugs, which will come, there will be reasonable mitigation. They’ll have a good story to tell. They’ll have patches eventually, or at least something. They will acknowledge their flaws just like everyone else already has flaws.
You say you would prefer to buy connected things from IoT companies that have bug bounty programs, but who are the manufacturers that have bug bounties right now?
Beardsley: I know that Philips and Johnson & Johnson, both of which make medical devices — which, when they go bad, people die — they are on the forefront of at least having a strong disclosure and relationship with researchers. I don’t believe they offer … Philips I think does offer a bug bounty, I’m not sure.
Both of them have dedicated aliases for security. They do all the right things when it comes to disclosure. I know HackerOne has a database that’s community-driven where you can look them up. Bugcrowd, I believe, has some things that you can always look them up on any one of them, right, and that’s kind of my first stop. Well, I have two stops. I want to see if they have [a bug bounty program], and I want to see if there’s ever been vulnerabilities disclosed on their products. A product that’s never had a vulnerability disclosed is super fishy, because I know that they’re in there.
Ones that have gone through the disclosure process, I know that they’ve at least someone has looked at it in the past, and they’ve already been through this whole process. So, that’s kind of a high watermark, at least for them.
So, embrace your bugs. That’s the message I want to tell everyone. Just own them and fix them, and know that everyone else has bugs, too, because that’s how we do software. When you are deploying software today, you deploy; you set up all your feature requirements; you set up all your features, all your requirements, all your deadlines; and then you ship something that hits 30% of that, and you call it good. And you’ll just fix it later. And that’s how we do it, and that’s fine.
Brown: I’m getting the feeling you should write like a children’s book, ‘Everyone has Bugs.’ Start teaching them young.