‘Pay bounties for hacker automation’: Harvard, MIT

An economic study has suggested a ‘bounty’ system for hackers capable of building automated ways of identifying security bugs.

Economists from Harvard University and the Massachusetts Institute of Technology (MIT), in partnership with the HackerOne bug-bounty service, analysed the market for “zero-days” – hitherto undiscovered software vulnerabilities.

They found that people who discover zero-days have a choice. They can “sell” them back to the companies trying to defend against intruders, allowing them to patch the hole. Alternatively, they can sell them to intruders.

In many cases, the intruders are governments, who purchase the zero-days for use in espionage operations. According to the study, documents leaked by the American defector Edward Snowden proved beyond doubt that:

governments, including the U.S., are major players in purchasing vulnerabilities at high prices to use for offense purposes.

Major governments can usually outspend the defensive buyers – i.e. the software companies – so the defenders need to find ways of tipping the market scales in their own favour.

Paying bigger bounties, however, creates a new problem. If software testers and developers can earn more as bounty-hunters then they can working for a salary, they have no incentive to work as testers and developers. This would vastly reduce the talent available to fix the security holes, or to develop new software.

The study offered a different suggestion. Greater automation was more important, it argued, than greater numbers of people looking out for zero-days, either internally or externally. It recommended that “mature vendors” add special incentives to their bug-bounty programmes to incentivise the creation of new automated tools and techniques to find security holes more efficiently.

As an aside, the report noted that governments often faced a difficult choice over whether to inform the software company so they can fix the vulnerability, or to stockpile the zero-day for use in their own intelligence operations. “Governments playing roles in both defense and offense should also try to help defenders gain access to better tools for vulnerability discovery,” the study recommended.

Click here for HackerOne’s summary of the research.