Bounty attracts bug busters
Finding security bugs in browsers seems to have become a favorite Net pastime. But should the faultfinders be paid?
Trawling for security bugs has become one of the Internet's favorite pastimes, a sport that has computer science professors and student hackers jockeying to find the latest glitch. Some are looking to improve the security of Internet products, but some are looking for a few minutes of fame. And now at least one appears to be in it for the money.
This week, Netscape Communications (NSCP) is crying foul over a Danish programmer's demands for money in return for the technical details behind a newly discovered security bug in its Navigator browsers. The company claims the programmer tried to hold it hostage. (See related story)
The Danish programmer, Christian Orellana, has been labeled a high-tech extortionist by the press and other software companies. But some observers think Netscape bears part of the responsibility for the situation.
The company sponsors a program called Bugs Bounty that offers $1,000 and a T-shirt for new bug reports. Netscape says Orellana wanted more than $1,000 to divulge his details, and when the company refused, he demonstrated the security problem to PC Magazine and CNNfn.
Netscape said that it has doled out more than 20 $1,000 rewards since it launched Bugs Bounty in 1995. But by initiating the bounty program, some say the company created the expectation that bugs are worth money.
Brian Bershad, an associate professor of computer science at the University of Washington who has discovered a series of potential security flaws in Java, thinks that cash offers for bugs lend themselves to abuse.
"Netscape has sort of brought this on themselves by offering up money," he said. "They've decided there is a cash value to discovering these things."
Other companies, such as Microsoft and Sun Microsystems, said they do not offer cash rewards for bug discoveries, though both have hired bug finders as security consultants. Bershad said Microsoft offered him work as a security consultant, but he declined.
Netscape says its Bugs Bounty program has helped it motivate users to weed out security glitches, thereby improving its products. The company said the Danish programmer was the first person to demand more than the standard reward.
"The goal [of Bugs Bounty] was to provide incentive for people to work in a productive, not malicious, way," said company spokeswoman Andrea Cook. "You become part of the team. It's something that makes it worthwhile. The goal was not to raise the stakes."
Indeed, some ask, why shouldn't bug finders get paid for their work?
Under intense competitive pressure to quickly deliver products to market, software companies like Netscape, Sun, and Microsoft are increasingly relying on the public to test their products, a process known as "quality assurance" in high-tech lingo. Don't Internet users deserve to be rewarded for the same work consultants and internal testers get paid to do?
That leaves the group that thinks paying cash for bugs is OK but that Orellana, the Danish programmer, went too far.
"If this guy can show the time he spent finding this bug and any costs he incurred while working on it, he can certainly ask Netscape to reimburse him," said Geoffrey Elliot, part of a trio of students at Worcester Polytechnic Institute who discovered a security flaw in Internet Explorer last March. "But the real issue is, what are his motivations? Ours was to protect our fellow users on the Internet. To that end, we took steps before going to the press to get the problems fixed."
Pro bono bug finding does have some personal rewards, though. Hackers get to temporarily bask in the glow of media attention and software companies routinely extend offers for consulting jobs to them.
In March, one programmer told CNET's NEWS.COM that he hoped to get a summer job out of Microsoft for finding an Internet Explorer security bug. Netscape once hired a British student who discovered a Java flaw in Navigator as a summer intern, and Edward Felten, a Princeton University assistant professor who has discovered numerous Java security bugs, has consulted with Sun.
In one extreme case, Sun paid a developer to create a malicious ActiveX control, which was demonstrated at the company's JavaOne conference in April. The demonstration illustrated a well-documented security vulnerability in ActiveX, not a new bug.
In the case of the Danish programmer, he won't be getting any financial reward at all. Today, Netscape said that it has successfully recreated the glitch, which could allow hackers to swipe data off a computer connected to the Net and that it will produce a fix next week on its own.