“Ask [the researchers], ‘Here’s a tough problem, help me solve it,’” Moussouris said.
The FireEye fallout
FireEye sells appliances, so it faces a challenge in establishing a bounty program most software companies don’t have to deal with: getting the right version of the product to the researchers. It would be too expensive to provide researchers with the latest appliances to find bugs.
FireEye said the vulnerability Hermansen disclosed was present only in the legacy HX product and has been already been updated for the current version. The company knows of only a handful of customers who are still on the older product, and all other customers are unaffected. Making sure the researchers have the right product is critical, but at the moment, this is sustainable only for cloud platforms and software makers.
That doesn’t mean companies with hardware products can’t work with the security researcher community. Moussouris discussed other models, such as invite-only programs, where the company specifically ask top-tier researchers to provide their expertise instead of having a public program anyone can participate in. This way, the company gets high-quality reports about issues the company considers high-risk. An invite-only program is one way to direct resources toward uncovering “actual issues you are worried about,” Moussouris said.
There are lots of problems with this FireEye/Hermansen stand-off, but the whiff of extortion surrounding the controversy is perhaps the most distasteful. Hermansen’s desire to get FireEye to compensate security researchers for their time and skills make him a hero to researchers who want companies to do more than merely crediting them for the discovery at the bottom of vulnerability notices. But his current tactics and comments on Twitter offering to sell the vulnerabilities to others for a price may make companies even more reluctant to engage with security researchers.
Information security relies on companies, researchers, and customers all working together. To some degree, FireEye put itself in a vulnerable position by neglecting to establish an incentive program. But high-profile bullying tactics help no one.
Sign up for Computerworld eNewsletters.