Bug Bounty programs are becoming more common, but sometimes the reward being offered is far less than the perceived value of the bug / exploit. What do you think can be done to make it worth the researcher's time and effort to work with a vendor directly?
CE: The simple answer is to increase the rewards for the researchers. As this concept of incentivized disclosure grows, you end up with a marketplace where companies will compete for the attention of researchers. Then, as there's more competition for this attention, companies will want to offer more rewards.
I heard someone say, "the best deals are the ones that both parties walk away from feeling a little bit screwed, and happy overall." It's a classic business exchange, the kind we participate in every day - the seller wants to sell their bug for as much as they can, but the buyer doesn't want to pay too much. At the end of the day, it comes down to finding that reasonable middle ground where the value is being transacted in both directions.
At Bugcrowd, we want to make sure there's value behind what organizations are paying. While a researcher may try to up the value of a certain exploit, we examine what's actually realistic. To keep this cost balanced, I recommend starting a dialog around the value of a vulnerability. If you can create a clear understanding, then everyone will walk away from a transaction feeling like it was a good deal.
Do you think vulnerability disclosures with a clear marketing campaign and PR process, such as Heartbleed, POODLE, or Shellshock, have value?
CE: At a security conference, I asked for a show of hands to this question: "How many people know the CVE for Heartbleed?" Not a single hand was raised, and this was at a security conference. Everyone in that room was aware of "Heartbleed" though, and most to the extent that that could explain the bug, where it exists and how to mitigate it. That's valuable.
Security is fundamentally a marketing problem. If you're outside of the security realm, you need to be made aware that this stuff goes on. If awareness requires a fancy logo and name, then I will support it. There is some concern about overhyping and distracting from other issues that vulnerability marketing creates, like reactive scenarios where CISOs only hear about stuff it it pops up in the press. However, there's balance to everything, and my strong belief is that we're net ahead on this one.
If the proposed changes pass, how do you think Wassenaar will impact the disclosure process? Will it kill full disclosure with proof-of-concept code, or move researchers away from the public entirely preventing serious issues from seeing the light of day? Or, perhaps, could it see a boom in responsible disclosure out of fear of being on the wrong side of the law?
Sign up for Computerworld eNewsletters.