Gartner: Bug bounty hunting is 'risky endeavour'

A pair of Gartner analysts have denounced a recent hack challenge that uncovered a QuickTime bug, calling it "a risky endeavour" and urging sponsors to reconsider such public contests.

Share

A pair of Gartner analysts have denounced a recent hacking challenge that uncovered a QuickTime bug, calling it "a risky endeavour" and urging sponsors to reconsider such public contests.

But TippingPoint, the company that paid $10,000 (£5,000) for the QuickTime vulnerability and its associated exploit, hit back, saying that at no time was there any danger of the vulnerability escaping from responsible parties.

Dino Dai Zovi was the first to hack a MacBook Pro at CanSecWest, a Vancouver security conference held two weeks ago. For his trouble, Dai Zovi took home the $10,000 (£5,000) prize offered by TippingPoint's Zero Day Initiative, a bug bounty programme that has been in operation nearly two years.

Security researchers have called the QuickTime bug, which can be exploited through any Java-enabled browser, "very serious". Apple has recently issued a patch for the flaw.

"Public vulnerability research and 'hacking contests' are risky endeavours, and can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop patches or remediation before any public announcements," said Gartner analysts Rich Mogull and Greg Young.

"Vulnerability research is an extremely valuable endeavour for ensuring more secure IT. However, conducting vulnerability research in a public venue ... could potentially lead to mishandling or treating too lightly these vulnerabilities -- which can turn a well-intentioned action into a more ambiguous one, or inadvertently provide assistance to attackers."

But Terri Forslof, TippingPoint's manager of security research retorted: "There are a lot of definitions of 'responsible disclosure'. What it means to us is that the vulnerability and its exploit are kept quiet and the vendor's given the time to patch the issue.

"It comes down to the facts of the case. The [CanSecWest] organisers took great pains to secure the network that was actually used for the challenge. As for the idea that this added some risk [that the vulnerability would be made public], I don't find it to be the case."

Mogull and Young recommended that security vendors call an end to public contests. "Consider ending public vulnerability marketing events, which may lead to unanticipated consequences that endanger IT users," they concluded.

"This wasn't our idea," Forslof said. "We didn't host this challenge, and we didn't organise it. It was an on-the-spot decision [to offer the prize]."

Dai Zovi, who dug up the QuickTime bug and crafted an exploit in a 9- to 10-hour stretch, has said the money was not his motivation. "The challenge, especially with the time constraint, was the real draw," he said.

"On the record, I think all vulnerabilities should be disclosed only through the vendor or through a responsible third party," said Forslof. "But users were never at risk here."

Find your next job with computerworld UK jobs