Home Hacking Bug bounty platforms buy researcher silence, violate labor laws, critics say

Bug bounty platforms buy researcher silence, violate labor laws, critics say

by ethhack

When Jonathan Leitschuh found a catastrophic security vulnerability in Zoom, the popular videoconferencing platform, the company offered him money to keep quiet in the form of a bug bounty and a non-disclosure agreement (NDA) through Bugcrowd.

The security flaw affected millions of Zoom users on Mac, and Leitschuh wanted to see the issue fixed. He declined the bounty payment because of the NDA, gave Zoom an industry-standard 90-day embargo to ship a patch, and when the company failed to do so, he published his research. 

Cue fireworks. Zoom got a lot of negative media attention and fixed the security flaw. Leitschuh’s struggle to hold organizations accountable for their poor security posture is more common than you may think, and some security researchers feel the bug bounty platforms — HackerOne, Bugcrowd and Synack — have become marketplaces where their silence is being bought and sold to prevent public exposure of insecure practices.

Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. In exchange for reporting a security flaw, the researcher receives payment (a bounty) as a thank you for doing the right thing. However, CSO’s investigation shows that the bug bounty platforms have turned bug reporting and disclosure on its head, what multiple expert sources, including HackerOne’s former chief policy officer, Katie Moussouris, call a “perversion.”

Bug bounty vs. VDP

A vulnerability disclosure program (VDP) is a welcome mat for concerned citizens to report security vulnerabilities. Every organization should have a VDP. In fact, the US Federal Trade Commission (FTC) considers a VDP a best practice, and has fined companies for poor security practices, including failing to deploy a VDP as part of their security due diligence. The US Department of Homeland Security (DHS) issued a draft order in 2019 mandating all federal civilian agencies deploy a VDP.

Regulators often view deploying a VDP as minimal due diligence, but running a VDP is a pain. A VDP looks like this: Good-faith security researchers tell you your stuff is broken, give you 90 days max to fix it, and when the time is up they call their favorite journalist and publish the complete details on Twitter, plus a talk at Black Hat or DEF CON if it’s a really juicy bug.

Copyright © 2020 IDG Communications, Inc.

Source link

Related Articles

Leave a Comment