Yesterday, Google security researchers discovered a disturbing leak in one of the internet’s most crucial services, Cloudflare.
In addition to providing DDoS protection, millions of sites use Cloudflare to provide access to assets in the most expedient fashion. And for several months, it leaked passwords, keys, IP addresses and more, like a broken faucet. Millions of sites – including some of the most popular, high-profile sites – were affected by this problem, causing various security researchers to warn everyone on the Internet to change their passwords. That’s how serious it is.
But that’s not what I want to talk about. There are dozens of publications that have delved into this issue with the level of depth and clarity that I couldn’t have. Instead, I want to talk about Cloudflare’s bug bounty program. Frankly, it’s inadequate. But don’t take my word for it. Let’s hear from some actual security researchers and users of the service.
there’s a gif for this.
I dont think I need to post it though. pic.twitter.com/5QkYjwmGtM
— Dan Tentler (@Viss) February 24, 2017
“Cloudflare pointed out their bug bounty program, but I noticed it has a top-tier reward of a t-shirt.”https://t.co/pU7qf85ExE
— Linus Nordberg (@ln4711) February 24, 2017
As an enterprise customer I’d love to see a bug bounty program that offers much more then a shirt and free service, @Cloudflare 😉
— Caspar C. Mierau (@leitmedium) February 24, 2017
First, let me explain why bounty programs are important. There are three main reasons.
To begin with, it gives the vendor control over the vulnerability disclosure process that they wouldn’t otherwise have. By dangling a carrot in front of the researcher’s face, they ensure that they’re able to look into the issue and issue a patch long before it becomes public knowledge. It establishes a formal process and rulebook which the researcher has to adhere to, in order to get paid.
Almost as important, bug bounty programs provide a financial incentive for developers to share their work with the vendor, rather than selling it to the highest bidder for a fortune in bitcoin.
Security vulnerabilities are a highly sought-after commodity. Some of the most sought-after ones (iOS vulnerabilities are particularly desirable) are sold for as much as seven figures. This is an industry that that has some legitimate players, like Zerodium, which buys vulnerabilities and resells them to its government and industry partners. But it’s also a market that’s been (perhaps unfairly) characterized by its less-than-legitimate facets. There’s a flourishing market for vulnerabilities on the dark-net, where buyers are often organized criminals. These bad actors use these vulnerabilities to spread malware, hack systems, and commit fraud.
Finally, bug bounty programs are important because rewarding researchers is the decent thing to do.
Researching vulnerabilities takes time. It’s a long, laborious, and multidisciplinary process. Above all, it’s a scientific process, where researchers check their findings against different versions of the same piece of software, in order to pinpoint precisely what versions are impacted.
This is something I know from personal experience. When I did my first degree (in Ethical Hacking for Computer Security), a classmate discovered a serious issue in WordPress (CVE-2010-0682) that allowed an attacker to view some of the contents of a deleted draft. Together, we pulled an all-nighter to pin down the issue, before reporting it to Automattic. Make no mistake, it was serious graft, albeit one that we were happy to do.
If you’re a for-profit company, and you’re benefiting from the work of researchers, it’s only right you throw them some coin.
Which brings us back to Cloudflare. For a company of its size and industry, it’s vital that it collaborates with the security community. There are several amazingly talented independent researchers, many of whom are guided by strict and unwavering principles. They want to work with Cloudflare because they see it as the most ethical thing to do.
By offering just a t-shirt as its bug bounty reward (for context, Google offers up to $100,000 for vulnerability affecting Chrome OS) shows that it isn’t interested in leveraging this highly important asset. It’s negligence, basically, and it hasn’t gone unnoticed.
— MLTs (?〈THOUGHTS〉.*) (@ret2libc) February 24, 2017
And maybe if Cloudflare had shown any desire to work with the security community, and offered some serious incentives, this devastatingly significant issue could have been identified months earlier.