Bug Bounties and Ransomed Security
Shannon Ragan Sep 10, 2015
On September 6, amid the doldrums of Labor Day weekend, security researcher Kristian Hermansen was hard at work, disclosing a zero-day vulnerability in FireEye’s Mandiant security software. The bug, which could give unauthorized users remote root access to the file system, is merely one of “many handfuls of FireEye/Mandiant 0day” Hermansen has “been sitting on,” according to his Exploit Database.
Hermansen went on to explain that though he discovered the vulnerability more than 18 months ago, it remains unpatched. He also laments FireEye’s lack of an external security researcher reporting process (FireEye has no bug bounty program like other industry leaders such as Google and Microsoft), and that FireEye has an exceptional duty to protect against remote root vulnerabilities as they are a security company.
The disclosure over the holiday weekend left FireEye scrambling, and a little ticked off. Hermansen had also offered on his Twitter page to sell three other FireEye zero-days, ranging between the lucrative prices of $$$ and $$$$$$. In response to a CSO Online request, Hermansen claimed that while he’d like to disclose the vulnerabilities directly to FireEye, he needed to be compensated for his work. According to the article, “the base asking price starts at around $10,000 USD per bug.”
And it’s that price tag that’s dividing the industry. To Hermansen, he feels he’s hauled in FireEye’s most wanted, and awaits his reward. To FireEye, they feel their vulnerabilities are being held hostage, and won’t negotiate the captors.
Apple recently had a similar experience when a young-gun security researcher disclosed a zero-day vulnerability broadly affecting Apple Macs. Apple, like FireEye, doesn’t have a bug bounty program, and the response from the external security researcher was largely the same as Hermansen’s.
In contrast, on the same weekend as Hermansen disclosed the FireEye bugs, Tavis Ormandy reported a “remote, zero interaction system exploit” in Kaspersky Labs anti-virus product. Kaspersky issued a patch for the vulnerability in less than 24 hours, earning praise from Ormandy for their quick response. Rather than wasting time pointing fingers and debating the issue of responsible disclosure, Kaspersky’s fast action turned a sticky situation into a health outcome.
If you look into a past instance of Hermansen’s public disclosure, you may get a glimpse to what these security researchers are really seeking. In 2014, Hermansen discovered numerous security issues on Covered California—the state’s Affordable Care Act registration website. Despite responsible disclosure, he was met with silence and inaction, and only received a response from Covered California’s lawyers to remove any publicly available disclosure information.
It seems the greatest injustice done against security researchers is ignoring them. Whether through communication, recognition, or compensation, it’s time to give them the respect they deserve. Only then can we hope to foster an industry that operates on mutual respect rather than mutually assured destruction.