the code base to focus on remediating the vulnerability.”
The other advantage to using the services of the emerging class of com- panies — which includes HackerOne, Synack, Bugcrowd and several others — is that they have created platforms where security researchers congregate. Furthermore, the companies have estab- lished reputations, expertise in manag- ing what can be an unwieldy process and experience in specifying the param- eters of a bug bounty contest. They also know how to triage and assign priori- ties to the order in which bugs should be fixed.
And figuring out who is responsi- ble for fixing a bug can be complex, Moussouris said. “I started Microsoft vulnerability research, and one of our big missions was doing multivendor coordination,” she said. “Someone would report an issue with the [Inter- net Explorer] browser, for example, but when researching it, we found that it actually was a Flash issue. So we would pass it on to Adobe.”
Organizations pay companies like HackerOne to manage the process, and they pay for the vulnerabilities that are discovered. With traditional penetration testing, consultants receive flat fees whether one bug is discovered or 100.
“Instead of paying for the almost 1,200 reports that came in, we paid for the 130 or so bugs that we could act on,” Wiswell said. “We paid for those where we could say: ‘You’ve given us enough of an explanation, and we know how to fix this, and we’re going to go ahead and fix it.’”
The beauty is that bug bounty chal- lenges shorten the bug discovery and fixing cycle from months or even years to a few days or weeks, she added.
But the key is fixing the problems quickly and not potentially exacerbating the security lapse by failing to act on a discovery in a timely fashion, Wiswell said. It’s also helpful to keep research- ers updated on what is being done with their discoveries — whether and when
“Through this pilot, we found a cost-effective way to supplement and support what our dedicated people do every day to defend our systems and networks, and we’ve done it securely, and we’ve done it effectively.”
DEFENSE SECRETARY ASH CARTER
the problem will be fixed or whether the problem is already known.
Spelling out the rules as precisely as possible is essential, Wiswell said. “We spent a tremendous amount of time with our legal team and all of the stakeholders across the departments to make sure that we defined our rules and restrictions down to a T,” she said. “You have to make sure that you tell folks what they can do and, almost even more importantly, what they cannot do.”
A spat between a security researcher and Facebook in December 2015 illus- trates at least one way that things can go wrong. Wes Wineberg discovered a bug in Instagram and reported it to parent company Facebook. Alex Sta- mos, Facebook’s chief security officer, said Wineberg was thanked and offered
$2,500. But he was unhappy with that amount so he hacked into the Amazon Web Services account associated with Instagram, where he started accessing technical information. He then told Facebook that he was going to write about what he had found.
Wineberg worked as a contractor for Synack, so Stamos contacted CEO Jay Kaplan and explained the situa- tion to him. He told Kaplan that he thought Wineberg was acting unethi- cally. According to Stamos, Kaplan said Wineberg’s actions were neither ordered nor condoned by Synack.
For his part, Wineberg said Facebook could have avoided the contretemps if its bug reporting policy were clearer — like Microsoft’s, which states that “moving beyond ‘proof of concept’”
November/December 2016 FCW.COM 19