The bug bounty business has changed in the past 10 years. I recall from our early days of the Zero Day Initiative (ZDI), we were seen as “controversial” – a publicity stunt to generate some noise in the press. But ultimately, we knew we were on to something. In a recent eWeek article that quoted Brian Gorenc from the ZDI and others, the topic of bug bounties focuses on how companies like Apple and others are now offering upwards of $200,000 USD for serious software flaws. I applaud those who have stepped up and embraced the notion of accepting a helping hand to make their software better and providing a reward in return. I know there are still a number of companies out there who are vehemently against the concept of a bug bounty program, hiding behind things like the terms of their license agreement, but I’ll refrain from naming them to protect the guilty.
In the back of my mind, I still think something isn’t quite right. I’ve even discussed this in a previous blog. As one of our sales people likes to say, “So what?” As more companies develop their own bug bounties and back it up with large amounts of cash, hopefully it will make a dent in the gray and black markets. But that “A” word keeps popping up: accountability. Are companies giving themselves a time limit to fix the flaws that come through their program? I compare it to borrowing money. If I borrow $1,000 from a friend and they tell me to pay them back “whenever,” that can be a long time, especially if I know I don’t have to pay them back with interest. If I borrow money from a bank, not only do I get a deadline, I also get the terms of what they’ll impose on me if I don’t meet that deadline: additional fees, interest, collection agencies, etc. Even though the ZDI is part of Trend Micro, it maintains a vendor agnostic approach. The ZDI’s disclosure policy is four months, even for OUR solutions. Any Trend Micro vulnerabilities aren’t treated any differently. The ZDI will work with vendors, including ourselves, to make sure they have all the information they need to patch a vulnerability in a timely fashion. Hopefully companies who embark on their own bug bounty programs will hold themselves to a high and timely standard.
There are two new zero-day filters covering two vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.
Missed Last Week’s News?
Catch up on last week’s news in my weekly recap.