Monday, June 26, 2017

Vulnerability Disclosure, Free Bug Reports & Being a Greedy Bastard


Backstory:

Most of my life I've been frustrated/intrigued that my Dad was constantly upset that he would "do the right thing" by people and in return people wouldn't show him gratitude... up to straight up fucking him over in return. Over and over the same cycle would repeat of him doing right by someone only to have that person not reciprocate.

The above is important as it relates to the rest of the post and topic(s).

I was relaying some frustrations to a close non-infosec friend about my experience of discovering  companies had made some fairly serious Internet security uh ohs... like misconfigured s3 buckets full of db backups and creds, root AWS keys checked into github, or slack tokens checked into github/pastebin that would give companies a "REALLY bad day".  These companies had been receptive to the reporting and fixed the problem but did NOT have bug bounty programs and thus did not pay a bounty for the reporting of the issue.

My friend, with some great insight and observation, suggested that I was getting frustrated and doing exactly the same thing my Dad was doing by having assumptions on how other people should behave.

So this blog post is an attempt for me to work thru some of these issues and have a discussion about the topics.


Questions I don't necessarily have answers for:

1. Does a vulnerability I wasn't asked to find have value?

2. If someone outside your company reports an issue and you fix it, does that issue/report now have value/deserve to be paid for (bug bounty)?

3a. If #1 or #2 is Yes, when a business doesn't have a Bug Bounty program, are they morally/ethically/peer pressure obligated to pay something?  If they have a BB program I think most people agree yes. But what about when they don't?

3b. Does the size of the business make a difference? If so, what level?  mom and pop maybe not, VC funded startup?  30 billion dollar Hedge Fund?

4. Is a "Thanks Bro!" enough or have we evolved as a society where basically everything deserves some sort of monetary reward. After being an observer for two BB programs...."f**k you pay me" seems to be the current attitude. If they did a public "Thanks Bro" does that make a difference/satisfy my ego?

5a. Is "making the Internet safer" enough of a reward?

5b. Does a company with an open S3 bucket make the Internet less safe? Does a company leaking client data make the Internet less safe? [I think Yes]
Does a company leaking their OWN data make the Internet less safe? [It's good for their competitors]

If they get ransomeware'd or their EC2 infra shut down/turned off/deleted codespaces style am I somewhat (morally) responsible if I didn't report it?

6. Does ignoring a pretty signifiant issue for a company make me a "bad person"?

7a. Am I a "bad person" if I want $$$ for reporting the issue?

7b. If yes, is that because I make $X and I'm being a greedy bastard? What if I made way less money?

7c. Does ignoring/not reporting an issue because I probably wont get $$ make me a "bad person"? numbers 1-3 come into play here for sure


My last two jobs, I've worked for companies that had Bug Bounty programs so my opinion on the above is DEFINITELY shaped by working for companies that  get it understand and care about their security posture and do feel that reporting security issues by outside researchers has monetary value. An added benefit to have a program, especially through one of the BB vendors, is that you get to NDA the researchers and you get to control disclosure.


Thoughts/comments VERY welcome on this one.  Leaving comments seems out of style now but I do have open DM on twitter if you want to go that route.  I have a few real world experiences with this where I let some companies know some pretty serious stuff (slack token with access to corp slack, S3 buckets with creds/db backups, and root aws keys checked into github for weeks) where it was fixed with no drama but no bounty paid.


-CG
CG

6 comments:

Anonymous said...

I think the answers to a lot of your questions depends on your employer (aka corporate policy) and your own sense of ethics/morals.

That being said, I feel all vulns found in the course of a test have value & should be reported. It's up to the report recipient to act on them.

In terms of the others, I've said before that IT (info sec in particular) is rife with egomaniacs in constant need of validation (whether through money or public acknowledgement). My philosophy is: if I find/stumble across a problem, I'm going to report it. Let the chips fall where they may on reward...I know I did the right thing.

Anonymous said...

Your friend had a good insight there, unfortunately i think it's impossible to live in a society and not have expectations (unless you are a buddhist monk, in which case you voluntarily retreat from society and avoid this problem altogether). I think you can reach even lower and realise that your brain has evolved to deal with small groups of people, where the the probability of meeting someone who you helped in the past was significant enough to have a desire to help and a expectation that your favor will be returned. And yes, alot of people freeload on this instinct to help thy neighbor, especially with security where people have the notion that even if they let the front door open you shouldn't enter because that's ethically a bad thing and we have laws for that. Compound that with th fact that infosec is still seen badly from outside, especially by managers who see it as a hassle, and that we haven't yet reached a point where it is normal and expected to reward people who do this work. For all these reasons i think there is no right answer and in the grand scheme of things it doesn't even matter, so either you accept the narrative that others impose on you (help others, behave ethically, etc and the rewards will come) or realise that you're kinda responsible to adjust your moral compass to suit you. Is instilling a healthy fear of being hacked and apreciating the next time a good guy comes and points out the issues a good thing for that company and the internet in the long run?

Anonymous said...

Previous poster had some good points. I agree totally about the buddhist monk thing...I do info sec because I like the field and I get paid :) I'll always do right by my customers, but I try to balance that against the rules of engagement & scope. Want me to go outside of scope...ok, but it'll cost you X amount more and take X days/weeks longer.

Whenever I've helped someone with a security issue pro bono, I always end it with the phrase "considering hiring an info sec person to help you out more". That way, I help thy internet neighbor and gently remind them that we don't work for free.

Steven Maske said...

You've asked a lot of great questions many of which don't have clearly defined answers. Here are my two cents...

1. Does a vulnerability I wasn't asked to find have value?

Very possibly. Look at in marketing terms. If you can sell it (i.e. someone is willing to pay money for it) then it has value.


2. If someone outside your company reports an issue and you fix it, does that issue/report now have value/deserve to be paid for (bug bounty)?

It's natural to want to be paid for your time however think of it like this... Bug Bounties are effectively a way of asking the public to identify issues. If a bug bounty doesn't exist then the company is not asking you to spend your time looking for issues.


3a. If #1 or #2 is Yes, when a business doesn't have a Bug Bounty program, are they morally/ethically/peer pressure obligated to pay something? If they have a BB program I think most people agree yes. But what about when they don't?

There's no obligation to pay if they don't have a formal Bug Bounty program. By choosing to find an issue with no Bug Bounty program, a person is effectively donating their time. Could a company be pressured into paying anyway? Well, I have seen this happen.


3b. Does the size of the business make a difference? If so, what level? mom and pop maybe not, VC funded startup? 30 billion dollar Hedge Fund?

Bug Bounties are a natural progression in a mature security program. The bigger the company the larger the InfoSec budget and it's more likely that they'll have a Bug Bounty program. With that said, I have seen smaller companies that have Bug Bounty programs, the reward is just not as great. Sometime it can just be a tshirt and/or a public thank you.


4. Is a "Thanks Bro!" enough or have we evolved as a society where basically everything deserves some sort of monetary reward. After being an observer for two BB programs...."f**k you pay me" seems to be the current attitude. If they did a public "Thanks Bro" does that make a difference/satisfy my ego?

I agree with your assessment of the current attitude but I believe that it's rather obnoxious. If a bug bounty doesn't exist then why go looking for the issue unless you're just trying to be a good samaritan? Whether or not someone appreciates a "Thanks Bro!" is up to them but they are not entitled to anything that is not publicly offered.


5a. Is "making the Internet safer" enough of a reward?

This is a personal question. In my case I'd honestly weigh the time/effort/impact of reporting the issues and decide how much of my time is worth spending on it.


5b. Does a company with an open S3 bucket make the Internet less safe? Does a company leaking client data make the Internet less safe? [I think Yes]
Does a company leaking their OWN data make the Internet less safe? [It's good for their competitors]


It really depends on the data being leaked but in general, yes, I believe that unintentionally leaking information negatively impacts users.


If they get ransomeware'd or their EC2 infra shut down/turned off/deleted codespaces style am I somewhat (morally) responsible if I didn't report it?

This is hard to say. Morals are not universal for everyone. Personally, I don't think it hurts to send an email but the amount of time and effort I put into it varies on how cooperative/appreciative they are (assuming the lack of a bug bounty program).

Steven Maske said...

(Cont.)

6. Does ignoring a pretty signifiant issue for a company make me a "bad person"?

This is deep personal philosophical question so I'll put it back on you. Do you think it makes you a bad person?


7a. Am I a "bad person" if I want $$$ for reporting the issue?

I'll go back to what I said earlier, It's natural to want to be paid for your time but if no one asks you to spend your time on it then you are donating your time.


7b. If yes, is that because I make $X and I'm being a greedy bastard? What if I made way less money?

How much money you make as part of your day job is irrelevant. See answers to 6 & 7b


7c. Does ignoring/not reporting an issue because I probably wont get $$ make me a "bad person"? numbers 1-3 come into play here for sure

In a lot of my answers I made the assumption that someone is seeking out a bug. I know that in a lot a scenarios it's very likely that you just stumbled upon something you were not expecting to find. Think of it like this, if you notice your neighbor left their gate open, would you tell them so their dog doesn't run away?

In the end, here's what I do... If I stumble upon a bug I report it. I start by seeing if they have a bug bounty program. If they do then I'll follow the outlined procedure. If not, then I'm not going to give them a formal report. I 'll send a courtesy email or phone call. If they don't respond (or get lawyery) then it's on them.

Again, just my two cents. YMMV.

dre said...

Organize and commit yourself to the 60-day notification with public notification the default (but up to them, especially if they do not have a visible bug-bounty program). Explain in each conversation the ground rules: You will stop notifications and not be liable after 60 days. Follow up at the 30-day, 45-day, and 60-day marks. If you can, make the notifications appear just like a formal legal complaint. A tenant-landlord communication style comes to mind. However, I would not contact or speak to any of their counsel. It is best to talk to a board member, an executive, or, at the very-least, a person at the organization responsible for public relations. If they engage counsel or law enforcement, ask for the matter to be handled by an executive analyst instead. Executive analysts are typically attorneys who report to the board (and not the general counsel or external firm). If the organization is local to your area and the issue is significant enough, you could also escalate the issue immediately through Infragard to the local FBI office (who will do their own notification). If you think the issues identified could have national-level impact, report the issues to the DHS as a cyber incident (assuming it meets their qualifications).

If none of these avenues appear viable and the organization does not respond at all, post your bundle online -- probably pastebin. Tell them that's where all communications will be posted and notify (with link) 60 days in when it is. In your pastebin post, don't leave anything out except the communication to/from counsel or law enforcement. If the organization asks you to keep the disclosure private/offline, then do as they ask. Give them an out. Explain only this much. Don't ask for a bounty, don't suggest that they need or should have a bounty program, and don't say that CompanyX or whoever else paid you for a bounty (or paid you for anything) in a similar situation. If the org contacts you after 60 days, especially about the pastebin, then tell them that the best way to get the pastebin material down is to establish a relationship with MarkMonitor, NetNames, dotNice, or brandprotect.

Does this entire affair cost you [theoretical] money and take up your time? Yes, but so does accidentally finding a suitcase full of cash in a public area, such as a sidewalk. You can't just leave the suitcase there. You have to do something about it.

Gone are the days for reporting to technical people if that information isn't widely-available. You don't go digging for an org's abuse or security contacts where they don't exist. You must engage with a business owner. It's their property and their crisis. You will want to begin your initial notification with evidence showing that no Central Point-Of Contact (CPOC) information was available, and thus this is why they are being contacted.

1) Do notify the issues discovered as a crisis and give them 60 days leaving all aspects up to them. Use the subject line (or ask that the matter be addressed as): Crisis related to Online Intellectual Property
2) Don't talk to counsel or law enforcement unless absolutely necessary. Do talk to business owners, especially board members and those who report directly to the board
3) Do publish all communique (except counsel and LE) on pastebin if 60 days has been reached and where the org has not explicitly asked you not to do so
3a) Do let the org know that pastebin material can be taken down by MarkMonitor or similar
4) Don't mention bounty programs or how things should work. Do mention that a CPOC for these issues could not be found