Last updated: 
2 months 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Bug Bounties

Tuesday, June 25, 2013 - 15:31

Bug bounty schemes have always been controversial. In the early days of the Internet someone who found a bug in software was expected to inform the author and help fix it, as a matter of social responsibility. Suggesting that those researching vulnerabilities be paid for their time and effort seemed rather grubby. Unfortunately not everyone shared those scruples. Taking valuable information out of companies, building botnets and spam networks are all a lot easier if you know about software vulnerabilities that others don’t, so once criminals had worked out how to make money out of those activities it made economic sense for them to pay, or even employ, researchers to find bugs. It took a bit longer to work out an economic model that paid vulnerability researchers to remove problems, but eventually commercial vulnerability brokers appeared who paid researchers for information and then provided it, on a commercial basis, to companies supplying protection systems for networks and computers.

Both those existing markets are mostly concerned with vulnerabilities in production software. If you are a criminal then you want exploits that will give you control of lots of Internet-connected systems. If you are trying to sell a protection product, then protecting against vulnerabilities that aren’t yet in your clients’ systems isn’t a great sales pitch. Instead of adding to these markets, Microsoft’s new bug bounty programme looks earlier in the software life cycle: before programs are released as products. Microsoft already makes code available in pre-release (known as 'beta') condition, but apparently neither criminals nor brokers will pay much for vulnerabilities discovered at this stage because there is a reasonable probability that they will be discovered and fixed (or the vulnerable code removed for other reasons) before the product is released. If researchers find a vulnerability in pre-release software, the only way to get paid is to wait and hope that it is not discovered before it acquires a market value.

By offering a bounty for vulnerabilities in beta code, Microsoft are therefore creating a new opportunity for researchers who want to do the right thing and have a financial reward for their time and effort. In return, Microsoft add another tool to their software process: like code review and penetration tests, vulnerability researchers bring independent eyes that may spot bugs that developers, who know how the code is supposed to work, may not. It strikes me that fixing bugs in beta code is also very effective for the “good of the Internet” motive we started out with. Once vulnerable code is installed on customer computers many, perhaps most, will never be fixed. If computers or their operators do not regularly install patches as they become available then the bug will persist, and may be exploitable, for ever, or at least until the computer hardware fails. Discovering bugs at beta stage, when all the vulnerable code is still firmly in the vendor’s control, means none of us need to worry about their impact on the Internet or the systems we connect to it.

Wired have an article comparing vulnerability bounty programs.