Bug bounties and dependencies

I just launched a website! BountyGraph is built on the idea that horrible bugs in popular free and open-source software projects should be:

  1. Found
  2. Fixed quickly and
  3. Worth a lot of money

Unfortunately, some of the largest bounties are offered by organizations with a vested interest in not fixing bugs promptly or, sometimes, at all. Consider vulnerabilities in Apache HTTP Server. If one company’s publicly advertised price list is to be believed, you can earn up to $150,000 for a working exploit, as long as you’re OK with that exploit being packaged up and sold to governments. The Trend Micro ZDI pays well, but they release “protection filters” to Trend Micro customers for each vulnerability prior to notifying the project maintainers. If instead you’d like to report your bug directly to the maintainers, you’re likely looking at a $3,000 reward from the Internet Bug Bounty.

I want a vulnerability reporting mechanism that doesn’t provide any business with a commercial incentive to withhold information about a bug from those who can fix it. And one day I would like for that solution to be genuinely competitive with private vulnerability brokers.

Introducing BountyGraph

Here’s my proposal: what if the organizations that depend on the security of a piece of software could easily, specifically allocate funds to help keep it secure? This is the idea behind BountyGraph. BountyGraph facilitates crowdfunded bug bounties and security audits for free and open-source software dependencies.

The site works like this:

[edit: updated to reflect changes]

  1. Free and open-source software projects sign up for BountyGraph and create a profile page like this one.

  2. Through program pages, projects can raise money for bug bounties from their corporate users. There is also the option to crowdfund a security audit by a professional security consulting firm.

  3. Bugs are reported to the project either via the BountyGraph ticket system or out-of-band by email.

  4. Once a working patch is released, the maintainers assign a severity and submit the bug to BountyGraph for validation.

  5. BountyGraph notifies the project’s funding organizations, who then have the opportunity to pay bounties to both the hacker for finding the bug and the maintainers for fixing it.

BountyGraph does not and will not monetize any information about the vulnerabilities that are reported using our platform. Instead, we charge a fixed percentage fee on top of each bounty.

In a world where Facebook will pay you $7,500 for an XSS vulnerability affecting only their mobile site, I think it is really unfortunate how little is done to financially incentivize security research into the world’s most common dependencies. Very frequently, multi-million-user organizations rely on the security properties of software developed by hobbyists for free, but do nothing to ensure that even the most superficial vulnerabilities are discovered. When the stakes are this high, it is clear that we shouldn’t just be waiting around for good-natured hackers to find bugs in dependencies at no cost.

If you work for a company that wants to help close this funding gap, or if you run a FOSS project that wants to fund a bounty program or audit, I hope you’ll consider checking out BountyGraph!