Oh gawd, what a click-baity title. Do I have your attention now?

Good.

I’ve been reading through a disturbing trend of tweets lately that has me shaking my head. It centers around the idea that Vulnerability Disclosure Programs (VDPs) are bad and that no serious bug bounty hunter should ever work with a software vendor that publishes one. This trend is not just concerning; it’s damaging.

I don’t want to single any individual bug hunter out. You are entitled to your opinion, and individual tweets without context aren’t helpful to the conversation anyway. But when I hear phrases like “VDPs damage the Bug Bounty World” and “People who report to VDPs are gay,” it shows me a clear sense of arrogance and apathy that hurts us all.

Let me explain.

My experience with security bugs 

If you are reading my blog, chances are you already know I’ve been building and breaking software for over 30 years. 

But if you are new here, welcome. 

I’m a grumpy old man with enough scars to know what NOT to do, cynical enough to know how it should be done, and experienced enough to know how to screw it up when you try. I’m sure some of you can relate.

I’ve been on both sides of the table. I’ve been a security researcher since way before we called it that. And I’ve been responsible for software projects with their share of security vulnerabilities. Hell, I’ve walked into projects with so much appsec technical debt in the backlog it would make any security engineer’s head spin.

So, I have a somewhat unique perspective that many modern-day bug bounty hunters may not possess.

But enough about me. Let’s talk a bit about what I have seen happen over the last 30 years regarding reporting vulnerabilities and how it has changed and matured into what we call bug bounty hunting these days. 

A short history of reporting vulns in the pursuit of profit 

Back in the late 90s, I was a member of the NTBugtraq mailing list. It was a safe place where we could disclose vulnerabilities and get them into the hands of software vendors like Microsoft without getting in trouble or caught up in the politics of “responsible disclosure.” In fact, that term wasn’t even used back then. 

Russ Cooper, the moderator of the list, did a great job of filtering out the crap and focusing on delivering valuable insights that everyone could rely on. The problem was that some software companies (like Microsoft) were getting a little frustrated that disclosure was going public before they could even address the issue.

RFPolicy is born 

In around 2000 “rain forest puppy” (rfp) published RFPolicy, one of the first vulnerability disclosure policies that could be used as a framework for disclosure. The intent was to give vendors time to learn about and address issues before they were made public.

It was also around this time that Marcus Ranum gave his talk at Blackhat that Script Kiddiez Suck, where he argued that security researchers and infosec professionals as a whole shouldn’t support full disclosure as it wasn’t working. If the state of security wasn’t improving, how were we doing anything but making it easier for the clueless to cause chaos?

It was a tumultuous time, to be sure.

Commercializing vulnerabilities becomes a thing

Notice that around this time, the idea of making money as a bug hunter wasn’t really a thing. Talking about getting paid for security research directly from vendors was considered by some to be a form of extortion. Vendors had lawyers in their back pockets, and if you asked for money in exchange for vulnerability details, you were potentially in a world of hurt.  

It’s one of the reasons commercial markets for vulnerabilities (and exploits) became a thing. Companies like iDefense and TippingPoint emerged to address this gap. But a lot of the time, the vulns weren’t getting to the vendors fast enough, if at all. And security researchers felt their work wasn’t being valued.

Security Researchers want to get paid…

Fast-forward several years, and Charlie Miller publishes a paper on “The Legitimate Vulnerability Market: Inside the Secretive World of 0-Day Exploit Sales” and presents it to The Workshop on the Economics of Information Security (WEIS2007).

He argues that security researchers should be legally compensated for their research. Yet in his experience, it was a struggle to get fair value for work and ensure vulnerabilities didn’t fall into the wrong hands.  

He concludes vendors need to pay researchers.

A few years later at CanSecWest, several security researchers (including Charlie) started touting “No more free bugs”. They even made pretty signs…

It was no longer a debate about disclosure. It was the principle of getting paid.

This became the catalyst for a discussion on bug bounty programs, in which vendors compensate researchers for bugs found in their products.

Seeing the commercial opportunity for this, within a year both HackerOne and BugCrowd were founded. 

Bug bounty was becoming a thing. This is the way.

Enough of the history lesson. Why does this matter?

So far, our walk down memory lane has been through the perspective of the security researcher. We can see how the industry has shifted, and how hunters want to get paid for their work now. 

They aren’t wrong.

What’s missing though, is looking at this from the software vendor’s perspective. I’m not just talking about the big guys with mature application security programs like Microsoft, Google, or Apple… but of every software company out there that has exposure to the brilliant minds around the world who are curious, crazy, and/or compensation-driven.

We also aren’t addressing the fact that security researchers come in all shapes, sizes, skills, and competency levels. If there is one thing we can credit the COVID pandemic with, it is the influx of the next hoard of bug hunters.

Properly published Vulnerability Disclosure Programs (VDPs) can be very helpful to both parties. They are actually a good thing.

Let me show you why.

Vulnerability Disclosure Programs (VDP) are a Good Thing

It shouldn’t surprise you that most software companies don’t write software to keep security geeks employed. In fact, it’s probably fair to say that most software companies go through a slow maturity cycle when it comes to appsec, which is much longer and later than most people expect.

Whether a startup or a mature multi-billion dollar company that now writes its own software, the company may still be in its infancy when it comes to application security. Budgets will be constrained, and processes may still need to be built out. 

Very few may have even heard of Vulnerability Disclosure Programs (VDP). That is changing thanks to folks who work on things like disclose.io, but we still have a ways to go.

In my Security Researcher’s Guide to Reporting Vulnerabilities to Vendors, I make the argument that bug hunters need to show more empathy; vendors are powered by people, and those people are probably overwhelmed.

You want those people to be your ally, not your adversary. 

Vendors need a lot of guts to publish a VDP

Seeing bug hunters bad mouth vendors who have published a VDP seems ludicrous to me. 

Vendors are stepping up and saying to the world, “We have a formalized approach in which third parties can report security vulnerabilities to us without fearing legal recourse. And we have a chance to fix those issues and protect our clients before our adversaries know about it.”

It allows the vendor to provide safe harbor best practices, allowing for genuine security research to take place as they develop their application security processes, benefiting both parties involved. This should be celebrated.

You aren’t forced to participate in it. 

But if you don’t want to follow the guidelines and scope of the VDP, you have no business hacking their software. And you definitely have no right to expect to be paid for it unless the VDP clearly defines a reward structure. 

Please, do not beg for bounties. You should know in advance if your target will reward you for any vulnerabilities disclosed.

Bug Hunters need a lot of guts to engage in a VDP

So the value of a VDP isn’t just for the software vendor. 

Bug Hunters can use a VDP to showcase their skills against real-world targets in a safe and legal manner. This is a great way to demonstrate competency while gaining experience when first entering the field.

While most VDPs typically don’t offer rewards (aside from maybe some vendor SWAG), they usually do offer recognition. This recognition helps build reputation in the general security community if that is important to you.

Some bug hunters actually gain a reputation with the vendors they work with and even get offered part-time or full-time gigs. You just never know what can happen when responsible, professional engagement in security research goes both ways.

It’s also just good karma to influence modern-day digital safety. It feels good to know you are protecting the apps and infrastructure that we use every day.

Some orgs can’t afford to run public bug bounty programs

It’s easy for bug hunters to see an organization generating millions (or billions) in revenue and believe they are in a position to pay for vulnerability disclosure. But that isn’t always the case.

Managing a VDP is hard enough. They need to triage incidents. Review and investigate reports. Engage with the developers and eventually get it on the backlog. Then product owners have to figure out how to schedule fixes in without impacting their regular deliverables.

This all has to happen within a reasonable time frame to stay within the VDP’s good faith efforts expectations. It all costs in time and opportunity.

Vendors have to prioritize effort and investments

According to some research, vendors can only fix between 10% and 15% of the vulnerabilities reported to them in a given month. So prioritization is key as their security tech debt grows.

It’s why things like the Exploit Prediction Scoring System (EPSS) exist. 

Now throw money into the mix. 

Bug bounty programs (BBP) exponentially make that harder. 

With the chance of getting paid, far more bug hunters are willing to contribute. A vendor could be dealing with significantly more incidents coming into triage at any given time. 

A lot of the reports coming in suck. They aren’t complete. They aren’t accurate. Automated tools give false positives that flood triage. However, every incident created has to be researched and resolved.

It happens — more than people want to admit.

Security Maturity infancy may impact decisions

If the organization’s security maturity level is still in its infancy, it may not be ready for BBP yet. There may be too much “low-hanging fruit” that needs to be addressed first. 

Not just in the sheer number of vulnerabilities that may get reported. But in developing processes to handle it all. 

They may not have the budget to meaningfully compensate bug hunters yet, nor will they have a streamlined process for managing everything.

This is why organizations usually mature from a VDP into a private bug bounty program, so they can control the inflow of reports and manage budget expectations accordingly. But that’s a discussion for another day.

So sh*tting on their VDP before they get there helps no one. 

Arrogance and Apathy

Back to the point of this post. VDPs aren’t a bad thing. They are a significant first step in an organization’s security maturity. 

Yet, the disdain some bug hunters show towards VDPs is both unhelpful and misguided. It reflects a deeper issue within the bug hunting community: a shift from collaborative problem-solving to a sense of entitlement. 

This entitlement is not just harmful to the relationship between researchers and vendors — it also diminishes the collective effort needed to enhance cybersecurity.

Arrogance can blind bug hunters to the bigger picture. When hunters dismiss VDPs because they don’t offer immediate financial rewards, they overlook the broader benefits of these programs: building a safer digital world, establishing professional credibility, and developing long-term partnerships with vendors as they build out their appsec programs.

Apathy, on the other hand, manifests as a lack of concern for the consequences of disrespecting vendors’ efforts as they improve their security maturity level. 

I’m not saying bug hunters shouldn’t be paid; there is a time and place for it. You aren’t forced to participate in a VDP, but a software vendor owes you nothing unless they invite you to a program that offers rewards and remuneration.

That doesn’t make a VDP bad.

Conclusion

It’s crucial for the community to remember why VDPs exist. They are not merely mechanisms for financial gain but vital tools that allow us to participate in good faith security research. 

By participating in VDPs, researchers not only hone their skills but also contribute positively to improving cybersecurity globally across the tech ecosystem. This approach fosters trust and respect between vendors and the security community, which is essential for effective vulnerability management.

Moreover, this trust translates into better security practices and innovations that benefit everyone. Companies that see positive engagement through their VDPs are more likely to invest in more comprehensive security measures, including bug bounty programs that can offer financial rewards.

As we move forward, it’s important for both vendors and bug hunters to engage in open, honest dialog about their expectations and responsibilities. 

For vendors, this means providing clear, fair VDP guidelines and recognizing the valuable contributions of researchers. 

For bug hunters, it means approaching VDPs with professionalism and a spirit of cooperation. Be patient as vendors improve their appsec processes internally and grow into BBP. 

Ultimately, the goal is to shift the culture from “guts and greed” to mutual respect and collective security.

Let’s work together to make the digital world safer, not out of greed or for glory, but because it’s the right thing to do.

The post Guts & Greed: How Bug Hunter Arrogance and Apathy Hurts Us All appeared first on Dana Epp's Blog.

*** This is a Security Bloggers Network syndicated blog from Dana Epp's Blog authored by Dana Epp. Read the original post at: https://danaepp.com/guts-and-greed-vdp