Paying security researchers risks breeding bad attitude, says UK bounty hunter

James Forshaw won $100k from Microsoft but worries about future

The booming rewards on offer to researchers hunting software security flaws risks breeding a culture of entitlement, according to one of the UK's most successful bug hunters of recent times, James Forshaw of pen-testing firm Context Information Security.

As the researcher awarded the first ever Microsoft $100,000 (£66,000) bounty 'jackpot' last October you'd expect Forshaw, 35, to stick up for the idea of handing over money for flaws, but during a conversation with Techworld his doubts about the direction of a burgeoning industry quickly surface.

That direction is that a growing range of vendors now run programmes in which a global cottage industry of fulltime, freelance security researchers sell them vulnerabilities in return for money.

Measured and thoughtful, Forshaw's anxiety is that the growing money on offer could breed a bad attitude in some quarters, the expectation of reward from any affected vendor.

"Your biggest problem is when people demand money," he says. "People will try to blackmail companies, they will stamp their feet."

The bounty industry started a decade ago in contentious circumstances when specialist firms such as TippingPoint (now owned by HP) and iDefense started shoving cash at the shadowy coders who'd twigged that software was full of valuable and dangerous vulnerabilities people would pay to know about first.

These days, software brands including Mozilla, Google, and Microsoft have reluctantly joined in this party, setting up programmes that offer rewards for responsible disclosure of flaws in their (and usually only their) software.

It's been apparent for years that professional criminals have been driving the market with reward programmes of their own which nobody paid much attention to until it turned out that some of these 'criminals' included nations states out to subvert one another.

Heads were banged together across the industry and the tide has now turned in favour of treating it like a market rather than a moral obligation. Vendors will never compete with criminals for rewards but at least they can drive up the price and perhaps keep some of the worst flaws - zero days - off the supermarket shelf.

Vendors have also realised that they can look foolish when researchers start publically discussing their programmes, or more often lack of them. Ask Yahoo, which last year turned out to be offering $12 t-shirts in return for serious flaw disclosure, almost worse than offering nothing at all. A few bad headlines later and Yahoo became the latest software house to set up a formal programme with rewards of up to $15,000 for top flaws.

"It's getting to the watershed moment. It [payment] is now seen as the rule rather than the exception," notes Forshaw. "The fact that vendors are putting up the money does legitimise the market."

As to introducing software liability Forshaw is sceptical, worrying that it would kill the risk-taking and innovation that is the point of software.

"If you start charging companies you start dis-incentivising them to produce new features."

The volume of flaws is a direct consequence of this innovation as much as the lack of formal software development lifecycles that build in security from scratch to stop vulnerabilities from occurring. That would be too complex and expensive for many firms that already rely on getting outside coders to turn around new software as rapidly as possible. Mistakes inevitably creep in and security gets a lower priority.

"Secure programming is a nice ideal," says Forshaw, sceptically.

What about more recent ideas such as setting up a global repository or programme for buying flaws across all vendors, not just those rich enough to hand out money to professional bounty hunters?

Again, because the supply of serious vulnerabilities is always large, "outbidding the bad guys would not necessarily make the world more secure." The expense would be huge and that's before considering the effect of states bidding for flaws for their own use, he says.

That is a tough one to answer. Even if the software industry collaborated, governments would need to be part of the programme the better to feed reported flaws via national CERTs. Yet, by the same token, the governments are happy to use a private stock of flaws in cyberwarfare when it suits them. Checkmate.

For the record, Forshaw's widely-publicised reward went not into his own bank account but to fund the research he is left alone to do as part of his day job working for ContextIS.

As Forshaw puts it of the bugs he's been paid for, "It keeps me ticking along doing the things I like doing but there is always a question of how research pays for itself. It keeps the accountants at bay."

As head of vulnerability research, his success highlights an issue that tends to get lost when the issue of bug bounties gets batted back and forth; even now vendors aren't that interested in paying their own staff to do this sort of job, despite the sometimes serious consequences when unpatched vulnerabilities are used in real-world attacks.

The fact that Context IS - a firm that makes its money offering a range of forensics services - allows him to spend time on something that doesn't always have much of a commercial pay-back remains an oddity in the UK. In Britain, flaw hunters do it for love or money but usually always alone.

"The 'no more free bugs' mantra has been used for a number of years, but perhaps we have finally reached that point. This might increase the future risk that if the bounty programs are scaled back it could irritate researchers sufficiently for them to go to full disclosure or to sell into less legal markets which is bad for the majority of the users of the Internet," mused Forshaw in an earlier, unpublished article.

"Where bounty programs go from here is unclear."

Today, if Forshaw is not the UK's only successful bounty hunter, he remains the only one to receive serious money from Microsoft in return for a piece of bad news.

Join the CSO newsletter!

Error: Please check your email address.

Tags HPapplicationsMicrosoftsecuritysoftwareContext Information Security

More about GoogleHPiDefenseMicrosoftMozillaTippingPointTippingPointYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place