How can defenders gain advantage in the 0day market?
According to MIT, Harvard, and HackerOne researchers, the answer is not throwing more money at bug hunters, but incentivize them to find the the same vulnerabilities that the offense researchers have found. In short, to increase “bug collision.”
“The vulnerability market is not controlled by price alone — many levers exist that tip the scales between offense and defense,” says HackerOne Chief Policy Officer Katie Moussouris.
Offering huge sums for vulnerabilities can ultimately be counterproductive, as researchers and developers would find it more lucrative to find vulnerabilities than to fix them (or develop software in general).
Also, not all hackers are primarily motivated by money.
“Even those who sell to governments, often do so selectively, intentionally choosing sides, even if the ‘other side’ might pay them more money,” she noted. “Human behavior is always more complex than simply attributing decisions to greed and nothing more, and hackers are no exception.”
Bug bounties are a good way to motivate researchers to find and report bugs to the developers, and are especially effective when they are set up with the intention of de-bugging less mature software.
So how can we achieve the draining of the offensive stockpile of vulnerabilities?
The researchers found that “throwing more bodies or money towards trying to find more vulnerabilities” can help, but that the right answer is developing better tools and techniques for vulnerability discovery.
This is something that can also be “outsorced.”
“More mature vendors should consider augmenting their standard bug bounty programs to include special incentives for tools and techniques that help them find vulnerabilities more efficiently,” said Moussouris, and announced that HackerOne – the organization that runs the Internet Bug Bounty program – has done just that.
“We’d like to encourage hackers to make these tools available to the world, so that defenders can scale their efforts more efficiently,” she noted. “If you’d like to nominate a tool or technique for a bounty under this program expansion, please include a publicly-available link to the tool and write-up, preferably pointing to resolved bugs found using this tool or technique. Example tools include but are not limited to fuzzers, debugger plugins, and especially ways to help determine exploitability of bugs more efficiently.”
“Metasploit, as many people know, is largely a community-driven, volunteer effort that relies on the goodwill of researchers to share their findings with the world, and we don’t seem to be running out of useful exploits to demonstrate risk. However, as the researchers on the 0day market have found, there are many incentives out there for keeping bugs secret and using them for purely offensive purposes,” commented Tod Beardsley, Engineering Manager at Rapid7.
“I’m glad to see the IBB and HackerOne take a lead on guiding and focusing the exploit efforts of the ‘good guys.’ Organized crime is, by definition, organized, and I know that the greater open source security research community can lack focus in the face of so many vulnerabilities being published on a daily basis,” he added.
“As a side effect of incentivizing researchers to teach each other how to better conduct exploit R&D, I feel like these efforts of the IBB will also help prioritize what kind of research is the most useful and fruitful, by making it easier to rediscover the secret vulnerabilities already being stockpiled today.”
The researchers are scheduled to present this model of the zero-day market at RSA Conference 2015.