Internet Bug Bounty Raises New Funding to Improve Open-Source Security
The Internet is a minefield, with new and advanced threats casting a fearful specter of deep trouble. With the recent WannaCry ransomware attacks on computing systems all over the world, the danger is real and alarming. It seems that any security measure just isn’t enough, and open-source software is quite the playground for malicious hackers.
It’s in this context that Internet Bug Bounty (IBB) has managed to raise funding for an important measure – rewarding security researchers for “responsibly” disclosing any vulnerabilities they find in open-source software. This helps in comprehensively identifying loopholes in open-source software through which security threats could potentially make an entry. The funding for this IBB venture is coming from Facebook, GitHub and the Ford Foundation that are donating $100,000 each to this mission, with the total donation amounting to $300,000. These entities hope the reward will play its part in getting the Internet secured by strengthening open-source software.
More about IBB
IBB’s inception was in 2013 and it was started with the help of HackerOne, the bug bounty platform provider. HackerOne is still behind the operation of the platform. Back then, IBB was sponsored by Microsoft and Facebook along with HackerOne. Facebook has now renewed the sponsorship with $100,000, with the Ford Foundation and GitHub sponsoring similar amounts. This should give the necessary encouragement for security researchers to do their bit.
All through the existence of IBB, it has been able to award $616,350 in terms of bug bounties for security researchers who have done their bit to responsibly disclose vulnerabilities in open-source software. Last year alone, IBB awarded $150,000 for over 250 various vulnerabilities disclosed by researchers. IBB claims that 100% of its donations are spent for rewarding and encouraging security research.
The Heartbleed vulnerability was discovered in 2014 and IBB rewarded a bounty of $15,000 to Neel Mehta, the Google Security Researcher who reported it. Other high profile vulnerabilities reported include Shellshock that fetched a reward of $20,000 and ImageTragick that fetched $7,500. The IBB panel contains security experts who define program guidelines and allocate bounties to areas that are most in need of security research.
Internet Bug Bounty and Core Infrastructure Initiative
There are recognized researchers in IBB who can identify and uncover vulnerabilities in open source software such as Phabricator, Ruby, RubyGems, PHP, OpenSSP, Python, and others. The IBB is in some ways similar to the Core Infrastructure Initiative (CII), particularly in its end goals. The CII helps tech companies to collaborate for identifying and funding open source projects requiring assistance. The developers are allowed to continue working under open source community norms. The IBB rewards security research that successfully identifies vulnerabilities present in open source as well as other critical software.
HackerOne Advanced Security Platform
HackerOne is recognized as the topmost security platform powered by hackers. It’s got the most trusted hackers in the world. Reportedly, its services are being used by over 800 organizations including such illustrious names such as General Motors, Nintendo, Qualcomm, Twitter, Starbucks, GitHub, Panasonic Avionics and even government departments such as the US Department of Defense to detect critical vulnerabilities in software before criminals exploit them and wreak havoc.
Back in June 2017, HackerOne released its Hacker-Powered Security report which described some findings. One of these was the average bug bounty for detecting a critical vulnerability, which stands at $1,923. The highest average bounty paid for detecting a critical vulnerability is $4,491 in the transportation industry. Next up is the technology sector which paid an average of $2,015. Low down in the list are the health care and education sectors that paid an average of $643 and $317 respectively for critical vulnerabilities.
Crowd-sourced Security Testing Pros and Cons
Security threats are so vast that research by a few individuals working for their respective companies can neither cover the entire scope of threats and vulnerabilities nor significantly benefit the global public. The scope of public security research is much greater though. Such research has resulted in many critical vulnerabilities being resolved all through the history of the Internet. Rewards motivate hackers to report the vulnerabilities they detect, and no one can do it better than these public-friendly hackers themselves. That’s what the bug bounty concept is all about. It’s probably the most foolproof manner to deal with the increasingly complex dangers and attacks faced by the Internet browsing public and open-source software.
There are potential issues though. This kind of crowd-sourced security testing could generate a significant number of vulnerability reports, which is a good thing, but too much for the open source projects participating in the IBB to study and process. While the comprehensive vulnerability reports are an indication that security loopholes are being analyzed and reported in detail, you can’t rule out the unintentional submission of false reports. There are people with various skill levels, and some not as skillful as others and not traditional developers, trying to detect flaws.
More Full-time Human Resources Needed
The detected vulnerabilities must also be removed from the code or they could be used by malicious hackers to cause disruption. In such instances, the whole purpose of the IBB program is lost. Unless there are sufficient developers to act on the vulnerability reports they get, the program cannot serve its purpose. It’s a challenge that has been admitted by GitHub vice-president of security, Shawn Davenport. More financial and technical resources as well as a full-time human resources need to be channeled to the effort.
The Core Infrastructure Initiative was formed by the Linux Foundation. The objective was to provide critical open-source projects with the much needed financial resources so that more developers could be hired to improve overall security through greater responsiveness to identified threats. CII is sponsored by tech giants such as Google, Facebook, Microsoft, IBM, Intel, Adobe, Amazon, Qualcomm, Cisco, HP and Huawei.
With HackerOne supporting the mission technically, you can expect this IBB project to significantly contribute to ensuring security in open source software. But a lot more needs to be done. Let’s hope that projects like the IBB and CII keep expanding their areas of reach and generate more funding to give open-source software developers the resources to carry out the required changes that can ensure security to the end user.