Bug Bounty Rant
Having co-owned two security consultancies, and worked for a couple I understand how things work, but to be honest it doesn’t take a rocket scientist to figure out the following.
I was looking for a bug bounty program to play around in. I found one and noticed something that put me off even before typing their domain in my browser bar. So I sent this tweet - https://twitter.com/BugBountyHQ/status/771120766788046849
After sending it, I thought I should explain more as there is only so much you can say with a single tweet, so:
Company X contracts a security consultancy to provide a security audit for them.
Security Consultancy provides audit with a list of discovered vulnerabilities
Security Consultancy bills Company X on an industry standard of 30 days payment period.
Within the 30 days Company X pays Security Consultancy.
First thing to note here is, did the consultancy have to wait for Company X to fix the vulnerabilities. Absolutely not. In fact, I have provided audits, and then a retest is performed a year later and we still find many of these present in the new audit.
As a bug hunter, when I see things like:
it truly annoys me. I feel confident in the fact this company has at some point used a security firm for a traditional pentest and would have paid in a reasonable amount of time, regardless of whether issues are resolved or not.
My only take-away's from this are:
They have no respect for the bug hunter or the bug hunters own personal time they invested in the program
They do not take their bug bounty program seriously. More of a case of, "just throw it up there, if we get a report great and we can take as long as we want to fix it. We will pay the researcher when we get around to it"
I guess my point here is, if you are going to run a bug bounty program, then actually run it and don't treat it as a side show !!
Why should a bug hunter be treated A LOT more differently than a security consultancy firm. The hunter should not have to sit around and wait for their development team to get their thumbs out of their a** to produce and apply a patch. If you are going to run a bug bounty, give the hunter the respect they deserve.
Where ever possible, pay on triage / validation of the vulnerability. Don't penalize the hunter by making them wait month & months to finally be paid for their efforts and discovery. Why can't the hunter expect a 30 day period much like the security consultancy company. 150 days is an absolute joke.
Anyway, rant over. I feel much better now :)
Going back to the 50-50....I think it's wise to pay 50 up front and 50 alter after the fix. I suppose the main reason might be that the dev team might need some assistance along the way to ensure they are able to recreate the issue and if they get stuck with complex defects, the Researcher can continue to point them in the right direction. Otherwise the Researcher might pick up the bounty and not get back. This is where the relationship with the Research community becomes paramount.
This is why you weaponize it and sell it to Gov^W vetted parties that can resolve the problem one way or another.
On the flip side, I have had to chase invoices for months for a test delivered too. I suppose the answer is, don't waste time on bounty programs you don't like the terms of. Like I wouldn't bid for work I think I'm going to struggle to get paid for. I've turned a few gigs down recently because that risk (looking at the financial status of the client) was too big for me to swallow. I can't see where paying out when an issue is fixed is comes from though. I'd never agree to work under those terms, they are abusive.
To be fair though comparing payment terms between a pen test and a bug bounty programme isn’t really a viable one. The business models are completely different. A more realistic comparison is between lawyers working on the meter, and lawyers working on a no-win-no-fee basis: whilst on the meter, they’ll be submitting monthly invoices as they go; whilst in comparison, no-win-no-fee will only get paid at the end of the project, once a successful conclusion is reached (which could be years away). Is sir wanting to both have his cake and eat it? ;)
These are some good points. I think the game will change over time, as not only the maturity to fix things increase, but also the maturity to run a bug bounty program increases. The previous commenters make good and valid points regarding payouts, but it needs to be added that the probability of an early payout increases with the reputation of the hacker. A guy who started a month ago and reports his first finding to me today - he will wait a bit longer for the payout. That is part of the game.