Next for Bug Bounties: More Open Source Funding

  /     /     /  
Publicated : 23/11/2024   Category : security


Next for Bug Bounties: More Open Source Funding


Ten years after kicking off its Vulnerability Rewards Program, Google sees another decade of bounties with a focus on shoring up open source projects.



The need for bug bounty programs will only increase in the future, especially as a way to reward researchers for finding vulnerabilities in open source software and to make the common components used across applications more secure, Googles program manager said this week.
On Tuesday, the Internet giant marked a decade of its own bug bounty, the Vulnerability Rewards Program (VRP), by launching a new online platform for its research community. When the company kicked off its VRP a decade ago, researchers submitted 25 issues on the first day. Now the company has
paid out
more than $29 million for 11,055 vulnerabilities over the past decade.
Continually refreshing software wont mean the need for such programs will go away; in fact, theyll need to be applied to other software ecosystems, especially the open source software development community, says Jan Keller, technical program manager for Googles VRP.
One of the big things that we are working on is to bring open source security into the scope of things, he says. I certainly dont worry about there not being enough bugs out there for researchers.
Bug-bounty programs have gone from being perceived as risky endeavors to a common part of many software security programs. In 2005, when TippingPoint
kicked off its third-party bug-bounty program
, the Zero-Day Initiative, only a few other organizations — such as the Mozilla Foundation and VeriSigns iDefense — offered rewards for vulnerabilities. Yet support for programs grew steadily. Even Microsoft, which
resisted paying
for security vulnerabilities,
launched a program in 2013
.
Yet open source software continues to be a weak spot in the universe of bug bounties. While some programs exist — such as
the Internet Bug Bounty
 — to pay a reward to those who report vulnerabilities in the critical software supporting the Internet, the coverage of critical software components is nowhere near complete.
In May, a group of researchers proposed that a catch-all vulnerability rewards program, 
the Bug Bounty Program of Last Resort
, should be created for a more stable — and legal — market for vulnerability information that incentivizes reporting issues to vendors.
Bug bounties have instead proven themselves an additional effective mechanism to improve vulnerability discovery, while also reducing the availability of zero-day vulnerabilities and exploits to malicious cyber actors, [b]ut they are not trivial to operate and have not yet been adopted widely or consistently, the researchers
stated in the program proposal
. Startup vendors and open source projects especially are challenged to fund and manage such programs, yet their technologies underpin the digital transformation.
Google will focus on open source bug bounties in the next decade, Googles Keller says. Programs such as the Internet Bug Bounty need to be expanded, and additional programs to help developers detect and avoid malicious code commits should be created, he says.
Google already supports some open source projects and plans to expand its support. While vulnerability-discovery support should focus on the open source components that are used widely by Web applications and Web frameworks, popular consumer applications, such as the VLC video player, should also be supported, Keller says.
This should not be only a Google thing or an Alphabet thing — we want this to be a joint venture between companies that are using open source heavily, he says. There are a lot of us out there that run Linux, for example, so we need to be tackling that problem together.
Another trend for the next decade: the increasing use of artificial intelligence (AI) and machine learning (ML) to analyze code and find vulnerabilities. AI/ML has already started helping developers create more secure code and security researchers find more vulnerabilities. In early July, for example, GitHub released early data on its developer assistant, Copilot, which is designed to auto-complete functions as a developer types. The ML system, based on Open AIs Codex, can
guess the intended function from the name, comments, and variable about 43% of the time
.
Yet, for the next decade, 78% of hackers believe they will continue to hold the upper hand over machine-directed analysis, according to
BugCrowds Inside the Mind of a Hacker 2020 report
.
Still, as the number of ML tools introduced to quash bugs rapidly increases, most developers and application-security specialists will likely be using such tools.
The number of vulnerability researchers increased dramatically during the coronavirus pandemic. Submission to Google grew by about 50%, as more people had time to work on finding bugs in third-party software, Keller says.
Companies should make use of this potential, he argues.
Nowadays, it should be obvious to all the major companies that bug bounties are a good investment, Keller says. There are multiple compromises every week, and breaches are far more expensive than the cost of these programs.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Next for Bug Bounties: More Open Source Funding