Google paid over $1.2 M in bug bounties to security researchers for reporting cross-site scripting (XSS) bugs in Google applications during the past 2 years. This fact is mentioned matter-of-factly in a blog article discussing a newly-released security tool.
I want to spend a moment discussing bug bounties and the implications of this Google factoid.
Bug bounties are a means of rewarding security researchers for finding security vulnerabilities in software. The rewards can be very significant cash payouts, swag, fame, airline miles, or some combination of these. The net result is that the bugs are found by the researchers, and they get fixed by the developers. Everyone is happy!
Many organizations have a bug bounty program of some kind. Bugcrowd and Bugsheet are two sites that list bug bounty and vulnerability disclosure programs. A small minority of security researchers do well with income produced by bug bounties, but most researchers do not make enough to work full-time at bug hunting. Nevertheless, bug bounties are a big business. Bugcrowd and Hackerone both have managed service offerings that provides vulnerability coordination and bug bounty program implementation for organizations. These offerings allow companies to more effectively work with security researchers and handle the process of bug submission, remediation, and awarding of the bounty.
The Economics of Bug Bounties
At the 22nd USENIX Security Symposium (2013), a presentation and paper titled An Empirical Study of Vulnerability Rewards Programs discussed the Chrome and Firefox vulnerability rewards programs. The authors concluded that the programs are cost effective (about the equivalent cost of one developer). And about 25% of bugs affecting the releases were as a result of the vulnerability rewards programs. Bugcrowd publishes a bug bounty report that describes observations from their service offering. Some highlights from The 2016 State of the Bug Bounty report:
- 9963 valid, non-duplicate submissions during 1Q 2016
- $2,054,721 paid out across 6,803 paid submissions and additional payments (as of 31 March 2016)
- The top findings from valid submissions (these numbers are rounded) 66% Cross site scripting 20% Cross site request forgery 9% Mobile 4% SQL injection What it Means
Bug bounty programs are growing and paying out at an increasing rate. This means that security researchers are finding bugs and companies are fixing them, and that improves software quality and security. But the other important observation is the astonishing $1.2M paid by Google for just XSS vulnerabilities! That’s lots of cross-site scripting vulnerabilities in Google applications. It probably is a good indication that they have lots of other types of bugs, too. It may also mean that they are paying top dollar for those bugs.
If Google is working hard to write software that is reasonably secure and bug free (we hope), the $1.2 M data point for just XSS vulnerabilities is an indication that writing secure software is not easy to do.
The lesson from the Google bounty payout for XSS vulnerabilities is that even for organizations with talented and educated staff, with the right tools, with the right processes, and with the desire to build secure software, it is still hard to do. Having a comprehensive software development lifecycle that addresses the design, coding, testing, and maintenance of software systems helps ensure more secure software, despite the bugs.