Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Paying security researchers risks breeding bad attitude, says UK bounty hunter

James Forshaw won $100k from Microsoft but worries about future

Article comments

The booming rewards on offer to researchers hunting software security flaws risks breeding a culture of entitlement, according to one of the UK’s most successful bug hunters of recent times, James Forshaw of pen-testing firm Context Information Security.

As the researcher awarded the first ever Microsoft $100,000 (£66,000) bounty ‘jackpot’ last October you’d expect Forshaw, 35, to stick up for the idea of handing over money for flaws, but during a conversation with Techworld his doubts about the direction of a burgeoning industry quickly surface.

That direction is that a growing range of vendors now run programmes in which a global cottage industry of fulltime, freelance security researchers sell them vulnerabilities in return for money.

Measured and thoughtful, Forshaw’s anxiety is that the growing money on offer could breed a bad attitude in some quarters, the expectation of reward from any affected vendor.

“Your biggest problem is when people demand money,” he says. “People will try to blackmail companies, they will stamp their feet.”

The bounty industry started a decade ago in contentious circumstances when specialist firms such as TippingPoint (now owned by HP) and iDefense started shoving cash at the shadowy coders who’d twigged that software was full of valuable and dangerous vulnerabilities people would pay to know about first.

These days, software brands including Mozilla, Google, and Microsoft have reluctantly joined in this party, setting up programmes that offer rewards for responsible disclosure of flaws in their (and usually only their) software.

It’s been apparent for years that professional criminals have been driving the market with reward programmes of their own which nobody paid much attention to until it turned out that some of these ‘criminals’ included nations states out to subvert one another.

Heads were banged together across the industry and the tide has now turned in favour of treating it like a market rather than a moral obligation. Vendors will never compete with criminals for rewards but at least they can drive up the price and perhaps keep some of the worst flaws - zero days - off the supermarket shelf.

Vendors have also realised that they can look foolish when researchers start publically discussing their programmes, or more often lack of them. Ask Yahoo, which last year turned out to be offering $12 t-shirts in return for serious flaw disclosure, almost worse than offering nothing at all. A few bad headlines later and Yahoo became the latest software house to set up a formal programme with rewards of up to $15,000 for top flaws.

“It’s getting to the watershed moment. It [payment] is now seen as the rule rather than the exception,” notes Forshaw. “The fact that vendors are putting up the money does legitimise the market.”

As to introducing software liability Forshaw is sceptical, worrying that it would kill the risk-taking and innovation that is the point of software.

“If you start charging companies you start dis-incentivising them to produce new features.”

The volume of flaws is a direct consequence of this innovation as much as the lack of formal software development lifecycles that build in security from scratch to stop vulnerabilities from occurring. That would be too complex and expensive for many firms that already rely on getting outside coders to turn around new software as rapidly as possible. Mistakes inevitably creep in and security gets a lower priority.

“Secure programming is a nice ideal,” says Forshaw, sceptically.

What about more recent ideas such as setting up a global repository or programme for buying flaws across all vendors, not just those rich enough to hand out money to professional bounty hunters?

Again, because the supply of serious vulnerabilities is always large, “outbidding the bad guys would not necessarily make the world more secure.”  The expense would be huge and that’s before considering the effect of states bidding for flaws for their own use, he says.

That is a tough one to answer. Even if the software industry collaborated, governments would need to be part of the programme the better to feed reported flaws via national CERTs. Yet, by the same token, the governments are happy to use a private stock of flaws in cyberwarfare when it suits them. Checkmate.

For the record, Forshaw’s widely-publicised reward went not into his own bank account but to fund the research he is left alone to do as part of his day job working for ContextIS.

As Forshaw puts it of the bugs he’s been paid for, “It keeps me ticking along doing the things I like doing but there is always a question of how research pays for itself. It keeps the accountants at bay.”

As head of vulnerability research, his success highlights an issue that tends to get lost when the issue of bug bounties gets batted back and forth; even now vendors aren't that interested in paying their own staff to do this sort of job, despite the sometimes serious consequences when unpatched vulnerabilities are used in real-world attacks.

The fact that Context IS – a firm that makes its money offering a range of forensics services – allows him to spend time on something that doesn’t always have much of a commercial pay-back remains an oddity in the UK.  In Britain, flaw hunters do it for love or money but usually always alone.

“The ‘no more free bugs’ mantra has been used for a number of years, but perhaps we have finally reached that point. This might increase the future risk that if the bounty programs are scaled back it could irritate researchers sufficiently for them to go to full disclosure or to sell into less legal markets which is bad for the majority of the users of the Internet,” mused Forshaw in an earlier, unpublished article.

“Where bounty programs go from here is unclear.”

Today, if Forshaw is not the UK’s only successful bounty hunter, he remains the only one to receive serious money from Microsoft in return for a piece of bad news.


More from Techworld

More relevant IT news


caseyjohnellis said: Disclosure Im the founder and CEO of Bugcrowd who runs bug bounty programs and crowdsourced security testing for our clients

caseyjohnellis said: There are some valid points here but they need to be weighed against the advantage The fact is that many offensive security researcher have been participating in a different kind of big bounty program for as long as their has been software to hack They look for bugs weaponise them and either exploit them or sell them on to the black market or government buyers The real issue here is that all software contains security flaws and finding it before the bad guys do is hard Engaging and incentivizing the security community to help catch the issues that make it out into the wild is not only highly efficient its critical to levelling the playing field

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *