When it comes to reporting technical vulnerabilities to the parties involved, most security researchers and hackers know that they need to proceed with caution. Logan Lamb learned that lesson the hard way when he found security weaknesses in home alarm systems and then felt "pressured" by big-name home security vendors to keep a lid on his findings at Black Hat USA 2014 last August.
But Black Hat is also the place where vendors like to invite trouble. Mobile credit card processor Square announced its security bug bounty program, run by HackerOne, in 2014. Microsoft launched its bug bounty program at the Las Vegas convention in 2013. While the possibilities of security bug bounty programs across industries are promoted at Black Hat and other security gatherings, the reality is most organizations still do not have mechanisms that enable "outsiders" to safely report security flaws.
The benefits of vulnerability rewards programs are great, but so are the risks, says Gus Anagnos, the former head of PayPal’s bounty program, who shares his experiences with technology journalist Alan R. Earls in this month’s feature article, "Scrutiny on the Bounty." Anagnos, who joined security startup Synack in July as vice president of strategy and operations, says: "It’s not always clear who you are dealing with -- you don’t know whether you are working with a white hat or a black hat."
Anagnos also says, "There can be a lot of noise in these systems, and the quality isn’t always there, nor are the findings always significant."
Pioneer Google, which launched its bounty program in 2010, offers resources such as Bughunter University to its researchers to help streamline the vulnerability submissions process: "Approximately 90% of the submissions we receive through our vulnerability reporting form are ultimately deemed to have little or no practical significance to product security," the company cautions researchers.
Are bug bounty programs just stacking up vulnerabilities? The top monetary rewards are generally aimed at technical vulnerabilities that could lead to compromises of sensitive data and privacy issues.
Ever wonder who coined the term bug? It was Grace Hopper, whom AT&T Chief Security Officer Ed Amoroso "interviewed" during AT&T’s annual cybersecurity conference a few years ago. Marcus Ranum caught up with him to get his hard-won perspective on keeping up with technology assessments as security controls rapidly advance -- and crafting policy strategies in the face of complex security design.
Interest in SIEM systems is increasing as companies look to detect breaches earlier and limit damage. But information overload (false positives) and missed signs of advanced attacks continue to be major problems, Rob Lemos reports in "The Hunt for Data Analytics: Is Your SIEM on the Endangered List?" Big data and advanced analytics have promised to deliver better and more complete threat detection.
As some organizations look for earlier detection of threats from behavioral analytics, we revisit the concept of "good enough" security in the wake of the Sony Pictures Entertainment hacking incident. What are some of the tradeoffs that affect these business risk decisions and how will that change going forward? Technology journalist David Strom interviewed several security officers and IT security managers across various industries and reports his findings in "‘Good Enough’ Security After Sony."
How can enterprises implement defenses based on actual threats and vulnerabilities rather than investing in broader technology measures? Those answers are still hard to come by, as risk management and knowledge of business operations are added to the CISO’s long list of things to worry about -- trusted partnerships, global threat awareness, reliable architecture and proven technology. What is good enough security and when do you need something more?
About the author:
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.