Two news stories today both dealing with the do’s and don’ts of incentivizing minds to help out in tightening down security holes.
First up we have Google announcing a $2.7 million bug bounty for their Chrome OS to take place at Pwnium 4 hacking contest in March. The article from BGR and another from PCworld go on to talk about last years contest, where the sole participant named PinkyPie earned $40,000, in what Google called a “partial exploit”. This year there hopefully will be more contestants but in order to claim a prize they must be able to present to Google functioning exploit code as well as be able to describe all of the Vulnerabilities at play. Google isn’t the only company that pays bounties for bug reports, Microsoft and Facebook are another two that pay out, though substantial the payouts don’t reflect the inflated number listed by the companies to grab attention, such as the case with Reginaldo Silva and Facebook.
Moving on, in the past few weeks another story has come to light over in Australia of a teen who discovered a SQLi vulnerability on a government website and reported it to the proper authorities. The vulnerability, which provided private information to the tune of 600,000 individuals, was reported by Joshua Rogers after Christmas. After not hearing anything back from them for 2 weeks, Rogers went to the newspaper The Aged and informed them as well. Upon The Aged contacting the department over the matter, Rogers was reported to the police. While charges have not been filed against Rogers yet, it is a sad state of affairs when this happens, and it is not the only case. In the US, Andrew Auernheimer and a friend discovered a vulnerability in AT&T’s website and wrote a script to test out the exploit, afterwards reporting the exploit to a journalist at Gawker, Auernheimer was charged with hacking and identity theft and is not serving a 3 and a half year prison term while appealing his conviction.
Why would anyone risk imprisonment in reporting an exploit to a company? This mentality only fosters hesitation on the part of any “Grey Hat” to report these issues to the proper authorities and instead may push them to sell known exploits to others who will inflict losses upon said company.