While the European Union’s latest bug bounty program for widely used open source projects sounds like a step towards improving the security of the overall Internet ecosystem, these programs may wind up complicating efforts to secure these applications.
The European Union has committed to pay €850,000 (nearly $1 million) in bug bounties for vulnerabilities found in 15 open source projects as part of the edition of the Free and Open Source Software Audit (FOSSA) project, said Julia Reda, a member of the European Parliament representing the German Pirate Party. The projects are 7-zip, Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), KeePass, midPoint, Notepad++, PuTTY, the Symfony PHP framework, VLC Media Player, and WSO2. Six of the projects will accept vulnerability reports until the summer, six until the end of the year, and three will accept reports through 2020. Drupal, a powerful content management system, and PuTTY, a terminal emulator, serial console and network file transfer application, have the largest amounts allocated under this program, at €89,000 ($101,000) and €90,000 ($102,000), respectively.
FOSSA was launched by Germany’s Reda and Max Andersson, member of Sweden’s Green Party in the European Parliament after researchers discovered the Heartbleed vulnerability in OpenSSL back in 2014. Heartbleed impacted SSL as well as other software the open source library provided functions to, resulting in many organizations scrambling to understand their exposure. The initial version of FOSSA created an inventory of all open source software used by the European Parliament and sponsored security audits for Apache HTTP web server and KeePass password manager. The second edition of FOSSA ran a bug bounty program on HackerOne for VLC Media Player.
However, the EU announcement highlights one of the main problems with bug bounties: the emphasis is on finding vulnerabilities, not fixing them. Developers already have a long list of vulnerabilities and bugs—bug hunters just make the list longer. Developers need the resources to be able to fix the issues. The way issues get fixed in open source software is also very different from closed-source and proprietary software, which also adds to the pressure on the project maintainer.
Only those who are responsible for fixing bugs should start bug bounties. (Katie Moussouris, Luta Security)
“The projects are already overworked, they don’t need a bunch of new bugs to fix,” Josh Bressers, who leads product security at Elastic, the company behind Elastic Stack (Elasticsearch, Kibana, Beats, and Logstash), wrote on Open Source Security.
Creating a Longer List
Organizations learn about flaws in their applications they otherwise would not know about through bug bounty programs, but that knowledge doesn’t help if the organizations don’t have a way to triage the incoming reports and fix the issues. Enterprises can decide to invest in developing that process. That isn’t always an option for open source projects—if they don’t have corporate sponsors—as they tend to be underfunded and rely heavily on volunteers. The projects that would benefit from having more people scrutinizing the codebase for flaws are also the projects that are hurt because they can’t readily shift resources to fix those same issues.
“I disagree that it's [bug bounty program] a good thing on its own. Where is the money for more paid maintainers?” Katie Moussouris, founder of Luta Security and expert in software vulnerability management, wrote on Twitter. “Oops. It's not there.”
Consider the case of Network Time Protocol (NTP), an open source protocol used to synchronize clocks on servers and devices to make sure they all have the same time. It is arguably one of the most important pieces of software in use, but back in 2016, the lack of financial support meant there were grave concerns over maintaining the software long-term. There was too much for principal engineer Harlan Stenn, as the sole maintainer, to do alone, but without a sponsor or more funding, hiring someone to help wasn’t an option. NTP currently gets funding from the Linux Foundation’s Core Infrastructure Initiative, and the Network Time Foundation, a non-profit Stenn established for NTP, lists several corporate donors on the site.
But imagine if there had been a bug bounty program for NTP around the time the project team was trying to figure out its financial future. It makes sense—since NTP is critical Internet infrastructure in every way that matters—but without additional funding, these flaws would have remained unfixed.
“A #bugbounty on open source projects that don’t get any funding for additional maintainers is likely to decimate the volunteer maintainer labor pipeline of the future,” Moussouris wrote.
One possibility is to require the finder to submit a working patch along with the vulnerability report, but Moussouris said that additional challenges for the maintainers. When the maintainers for Apache Server Core, who are named in this program, were asked if getting patches would be helpful, they "specifically said no empatically, since they already spend an inordinate amount of time arguing against patches that would introduce breaking changes," Moussouris said. "Tying bounty payout to this would increase their work."
Bug bounty programs operate on the assumption that resources exist to resolve the issues that are found. That assumption plays out differently for open source software and commercial software. When the issue is found and responsibly disclosed to the vendor, the vendor has time to fix it within a time period. Within a certain time period, there is typically no public information about the flaw. With open source software, that vulnerability may be saved to a public tracking system such as Bugzilla or GitHub Issues. There may be discussion between developers on the best approach to fixing the flaw.
If there is a delay in fixing the issues—because there is only one person and only so many hours in a day—users are left vulnerable because anyone could use the public details and create exploits targeting those flaws.
Where is the money for more paid maintainers? Oops. It's not there.
“Any security issue disclosed in public leaves users vulnerable until a fix is found,” said Tim Mackey, senior technical evangelist at Black Duck by Synopsys.
Even if the developers fix the issue promptly, there remains the challenge of delivering the fix to all the users. Commercial software typically has a single release stream, so once the issue is addressed in that stream, all the users get the fix once they apply the update. In open source software, there are multiple release versions and branches, making it difficult to coordinate fixes in a way that all the branches pick up the updated code.
“This [delivering the fix] is by far the most significant hurdle for bug bounty-based efforts in [open source software],” Mackey said.
Funding For Fixers
Only those who are responsible for fixing bugs should start bug bounties," Moussouris said. "Else, you risk bug foie gras.
Bug bounty programs should be considered as part of a broader software management program, one that looks at how software is developed, maintained, and supported. The recent focus on bug bounty programs for open source projects doesn’t automatically lead to more secure software. These projects are chronically underfunded.
Tying bounty payout to this would increase their work.
“I would be happier had they also funded developers and security professionals to work with the communities creating their target applications,” Mackey said. That way, issues would be discovered and software could be improved at the same time.
There needs to be a framework that lets groups—governments, companies, and individuals—fund open source projects in a more sustainable manner.
Figuring out the “next step that will give the projects resources” will go further towards improving security than bug bounty programs, Bressers wrote. “Resources aren’t always money, sometimes it’s help, sometimes it’s gear, sometimes it’s pizza.”
This story was updated with additional comments posted on Twitter by Katie Moussouris.