40

We have been contacted by an "independent security researcher" through the Open Bug Bounty project. First communications were quite OK, and he disclosed the vulnerability found. We patched the hole and said "thank you", but declined to pay a donation (see below).

The researcher then sent a follow up email saying that he has found more vulnerabilities, but because we didn't make a donation, he will keep those vulnerabilities for himself.
In other words, he only told us he had more vulnerabilities, but would not disclose them, after we made the decision to not pay the suggested voluntary donation.

To my understanding, this is no longer in line with responsible white hat behavior. Am I right in this assertion?


Update
Yes, the person has been quite explicit in the suggested amount for the donation.

The various reasons include for not paying the requested 'donation' are:

  • the suggested height of the 'voluntary donation' in combination with the severity of the vulnerability found,
  • the vulnerability in question was, according to our logs, not found by a 'highly skilled' individual, but rather by an automated tool,
  • the fact that the Open Bug Bounty project explicitly mentions that no payment is required,
  • the passive aggressive tone of voice.

The above, in combination with the fact that, while we are in the process of setting up a bug-bounty budget and associated policy, we haven't completed this yet.

Let's be clear: we did not set a bounty, nor promise one and we did not sign up for this project. The Open Bug Bounty project is an unaffiliated project, that explicitly says: "There is, however, absolutely no obligation or duty to express a gratitude".

Also, note: While I'm in support of some sort of legal framework to protect bona fide security researchers, this legal framework does not, at this moment, exist in our jurisdiction; a fact our legal person was all too keen to point out.

Jacco
  • 7,402
  • 4
  • 32
  • 53
  • 48
    If you think the researcher is behaving unethically, then you can report them to the Open Bug Bounty people, I believe. And I'll grant you that someone saying 'I've got bugs, pay up if you want to know what they are' is acting poorly (to me that feels a little like extortion). On the other hand, since you haven't specified why you declined to pay a bounty on the first bug, I'm unclear why you think this researcher would give you the time of day - these people ARE in it for the money. – Michael Kohne Oct 30 '17 at 11:51
  • 4
    I have a problem with the "because we didn't make a donation, he will keep those vulnerabilities for himself". Sounds like a childish behaviour at best, or extorsion at worse. Of course he is not threatening anyone, but it tells implicitely "next time pay or deal with unknown vulnerabilities." And if the guy is not dumb he could still disclose these vulnerabilities else where, without explaining it beforehand. – Kaël Oct 30 '17 at 13:52
  • 11
    @Kaël It's an interesting conundrum. If the researcher just buries the findings, then it's as it they never did the research so it's hard to call foul. If they created exploits and sold them to criminals, that would definitely seem like extortion. If they just publish them to the world, the OP will get to know about them too, they just won't have a head-start. A completely different way to look at it is that the OP already got some free help. Why should they expect to get more for free? I do think referring to it as a 'donation' makes things seem more seedy, though. – JimmyJames Oct 30 '17 at 14:01
  • 1
    @Jacco can you elaborate on what an answer might mean to you? If the answer is 'no', what is your next step? Are you asking if this behaviour indicates a threat that you need to protect yourself from? – schroeder Oct 30 '17 at 15:08
  • 1
    @schroeder, The software is being rewritten (major refactor), so the value of knowing the exact vulnerabilities is low (although interesting). My main concern is with the attitude that basically says: "we found vulnerabilities in your software, pay-up"; it is the implicit threat that I mind. I think the behaviour is painting a bad picture for independent/freelance researchers. – Jacco Oct 30 '17 at 15:21
  • 2
    @Jacco given the involvement of a 3rd party bounty program, which provides legitimacy and shifts the whole context of the scenario, nothing is clear - this could be a black hat or a frustrated white hat – schroeder Oct 30 '17 at 15:36
  • @JohnDeters, given the current proposition, I legally can't pay him any money, even if I wanted. If I pay now, I agree to extortion and thereby commit a crime. – Jacco Oct 30 '17 at 19:01
  • 4
    Once the other party has put a condition on receiving money, it is no longer possible for that money to be accurately called a "donation". It would be fair and more polite and honest for them to say, "I think I found some other vulnerabilities, which I will happily sell to you. Here is a list of my previous satisfied customers. Feel free to contact them to verify that I am honest and experienced." – Todd Wilcox Oct 31 '17 at 02:29
  • `given the current proposition, I legally can't pay him any money, even if I wanted. If I pay now, I agree to extortion and thereby commit a crime.` In which case it's definitely black hat, so why make the thread? –  Oct 31 '17 at 10:18
  • @JᴀʏMᴇᴇ Because ethics and law don't always coincide. I was asking about the ethical part of the issue; I hoped the community would have some sort of consensus, but it seems the question did not result in such a thing. – Jacco Oct 31 '17 at 10:34

4 Answers4

74

To my understanding, this is no longer in line with responsible 'white hat' behavior. Am I right in this assertion?

White (and grey/black) hat are vague terms. There is no fixed universal definition. By the wikipedia definitions most researchers would be viewed as Grey Hat seeing as its not uncommon to publish if the software publisher refuses to patch.

The easy answer to your question is no. If your aim is to make the world more secure then this clearly does not directly align. There is an indirect argument - that by encouraging financial reward it encourages a healthier relationship between businesses and researchers as well as encouraging more people into the field.

Why do you even ask? The researcher is in no way obliged to disclose to you. Unless you can prove he broke the law in finding the vulnerabilities you have no leverage to force him to. To date you have received several hours worth of work from a (hopefully - otherwise that casts yourselves into a bad light) high skilled individual entirely for free. Either you view it as worth paying him to continue offering services or you don't.

*Seeing the title I would argue this is not Black Hat behavior unless he deliberately exploits the vulnerabilities for his own gain or your own harm (/gives them directly to someone with that intention). If he just refuses to disclose the argument would be between white/grey hat definitions.

Hector
  • 10,893
  • 3
  • 41
  • 44
57

The researcher did not create the vulnerability and has not threatened to release or exploit what he has found. If you do not wish to pay for his work then don't and your company is no worse off than it was before he contacted you. In fact he has given you a gift of telling you that there is a vulnerability which you can find yourselves or through another contractor.

So no, he has not done anything unethical.

PStag
  • 401
  • 3
  • 4
  • 4
    Wouldn't it be considered unethical to align yourself with an organization that claims donations are not mandatory and then demand a donation? – corsiKa Oct 30 '17 at 20:13
  • 5
    @corsiKa "align yourself"? On Open Bug Bounty website I was not able to find anything about ongoing dependency between organization and person who reported. – Mołot Oct 30 '17 at 23:16
47

I'm a bug hunter and I have no idea why everybody here thinks it's perfectly fine of him to attack your website without permission, determine a bounty amount himself, and threaten to hold back potentially dangerous flaws because he doesn't get the money he wants. Why didn't he ask about your policy beforehand? You never claimed to run a bug bounty program, or to be able to pay anyone for anything in the first place.

To clarify again, OP did not sign up for the Open Bug Bounty project. The project offers to be an intermediary between researchers and websites that don't run a bounty program. Also, they explicitly mention that you are not obliged to pay anything, and the researcher should be well aware of that if he read the guidelines.

A website owner can express a gratitude to the researcher in a way s/he considers the most appropriate and proportional to the researcher's efforts and help. We encourage website owners to say at least a “thank you” to the researcher or write a recommendation in the researcher’s profile. There is, however, absolutely no obligation or duty to express a gratitude.

(Emphasis my own)

If he expects a monetary reward, he should be searching for bugs at companies that actually run a bounty program. There are plenty of reputable programs paying high rewards.

The researcher then sent a follow up email saying that he has found more vulnerabilities, but because we didn't make a donation, he will keep those vulnerabilities for himself.

If he already found them and it's not much effort to put them in a list and let you know, then yes, I find it unethical to hold the bugs back.1 You didn't ask him to do work for you. He could have inquired if you pay for bugs beforehand. And he didn't so much offer you his expertise for a donation - from your description it sound more like a mild threat that if you don't pay him, your website is in danger.

Take that incident as a hint that you need to invest more in your security. Consider setting up a real bug bounty program with small bounties or hiring a professional penetration tester. But don't let him extort money from you if you never promised any.

1It's not that he should do free work for you. It's the fact that he mentions that there is something he won't tell you unless you pay him a particular amount that makes it unethical, especially if an exploitation of these bugs could threaten the future of your company.

Arminius
  • 43,922
  • 13
  • 140
  • 136
  • 17
    The linked page also mentions they have "a zero tolerance policy for any unethical activities around submissions. If researcher's behaviour borders on extortion[...], such submissions will be deleted immediately." So the researcher is definitely out of line. – HAEM Oct 30 '17 at 14:30
  • 18
    Just a question from someone outside of this domain. I assume that the reporting process for these found bugs is not a trivial amount of work. Why would a researcher be ethically required to contribute further effort when there is misalignment on how they *"express a gratitude to the researcher in a way s/he considers the most appropriate and proportional to the researcher's efforts and help"*? If I don't feel the expression of gratitude is appropriate and proportional why would I be obliged to put any further effort into improvement of the code? – Myles Oct 30 '17 at 14:38
  • 19
    He was not obliged to search for the bugs. OP is actually better off now than before the security researcher contacted them. OP now knows about one vulnerability and also knows that others exist. All this valuable information OP got for free. I even found vulnerabilities by accident and didn't report them for various reasons. Am I a evil black hat now? I probably could use them to create monetary losses to this companies. This would be black hat behaviour. But nowhere am I required to share the information about the vulnerabilities. – Josef Oct 30 '17 at 14:53
  • 7
    @Myles I clarified my line of argumentation in the answer. The reporter should not do extra work. But he clearly uses his knowledge of more security bugs as a leverage to get money. He decided to mention the bugs to put pressure on OP with the implicit threat "you don't have to pay, but then I can't guarantee for your security". Also, it's usually not that expensive to compile already found bugs into a simple list. – Arminius Oct 30 '17 at 15:44
  • 2
    @Arminius From OP: *The researcher then sent a follow up email saying that he has found more vulnerabilities, but because we didn't make a donation, he will keep those vulnerabilities for himself.* There is an assumption in "... unless you pay him..." that the tester is continuing to ask for money, whereas from what the OP actually said the tester ended their involvement due to the previous request being unfulfilled. There is no statement that the tester will provide those missing bugs now that they've decided this organization isn't worth dealing with. Am I missing something here? – Myles Oct 30 '17 at 16:17
  • @Myles I'm not sure what your point is. I don't claim that the researcher sent yet another email asking for money after the first follow-up. Also, I don't claim that the researcher did provide the bugs afterwards. – Arminius Oct 30 '17 at 16:31
  • 3
    @Arminius Based on what the OP said the researcher didn't ask for money in the first follow up. Read carefully *...but because we didn't make a donation, he will keep those vulnerabilities for himself.* No request for funds, simply a termination of the relationship. That is material in this not being extortive. Can you clarify your basis for the assumption "...that there is something he won't tell you unless you pay him that particular amount..."? I'm just not seeing an "unless you pay" in the information presented. – Myles Oct 30 '17 at 17:01
  • 2
    @Myles In this particular context, I make the assumption that from *"I don't give you valuable information because you don't pay me."* follows *"I would give you valuable information if you paid me."* That's obvious to me, from what OP reported. – Arminius Oct 30 '17 at 17:16
  • 6
    @Arminius I disagree with that being obvious. I think it's a jump in logic based on an unfounded assumption. Thanks for the clarifications, I have a much better understanding of your reasoning. – Myles Oct 30 '17 at 18:24
  • 3
    @Josef: While it is true that OP is better off knowing there's a vulnerability, the argument is moot, in my opinion. This is like someone entering your home because the front door was not locked (or opening the lock with a pick), after having tried all the doors in the neighbourhood. Then, that guy leaves a letter on your kitchen table telling you to give him money. Seriously? What makes you think the entire endeavour is legitimate and not highly criminal to begin with? The fact that someone says "Oh, but I break and enter just to make your home more secure"? This was not asked for. – Damon Oct 30 '17 at 19:25
  • 1
    @Damon What does that have to do with the question though, which is about the ethics of asking for money to disclose a found vulnerability? The ethics of searching for vulnerabilities without invitation is a completely different question. – David Schwartz Oct 30 '17 at 23:26
  • 2
    @Damon: your analogy should have been, instead of "leaves a letter on your kitchen table", "reported the open door to the neighbourhood anti-crime association that fosters reports of vulnerabilities". Quite a difference. And the reality is that if those being informed of vulnerabilities are not paid, there will be little incentive to disclose those vulnerabilities. And, finally, I wonder why it's called the Open Bug **Bounty** ? – Martin Argerami Oct 31 '17 at 04:27
  • 2
    @Damon the analogy would be more correct like this: I walk by OPs home and see that his expensive bike is on the lawn unsecured. Also a window on the first floor is open and a ladder directly beneath. I walk to the door, ring the bell, tell OP "Hey man, your bike is out unsecured. I'd fix that". OP tells me "F*ck off you ass". I walk away and tell him "if you don't appreciate my help, I won't tell you about your other security problems. Good bye!". What exactly is wrong about that? If my help is not appreciated, I won't provide it. – Josef Oct 31 '17 at 10:37
11

He doesn't need to disclose- but he knew coming in during the second round you don't pay. So what is his motivation? You cannot know- so he is using that gap to create pressure on you to pay.

However- since he hasn't threatened to release malware or sell to black hats,he is potentially clear legally and maybe even ethically if he never does so, or if he just does an open dump of the exploit without selling it to black hats.

He could sell it legally to nation-states and security companies, but not knowing the importance of your code, its impossible to say if that is a saleable venue for the 'researcher.'

Paying a fair market value is probably your best bet. The person has spent time doing the research and the information does have value for you. Even if they release it in the open he is in the legal clear. It gets down to what harm a no-notification release would do to you. If the answer is not much, then ignore it. Otherwise come up with the cash. This is purely utilitarian BTW- not really speaking to the ethics. Ethically he should have dropped researching your app/site one he knew you weren't interested in paying, unless there is public data he feels you are putting at risk.

Mark Stewart
  • 111
  • 3
  • 2
    An actual ethical analysis! Welcome to the site. – schroeder Oct 30 '17 at 19:10
  • `Even if they release it in the open he is in the legal clear.` Are you sure about that? In all jurisdictions? – tim Oct 30 '17 at 22:44
  • A related version of this might be to hire the individual as a contractor (since the OP is worried about it being extortion). If simple automated tools are sufficient to find exploits in your software, then maybe it makes sense to put someone on the payroll to run such software. I would argue that it shouldn't qualify as extortion if you identify a business need, look at his resume, and pay him a fair wage based on his actual skills and reputation. If all he does is run automated tools, that price might be low (even lower than the "donation"), but it may be repeat business. – Cort Ammon Oct 31 '17 at 00:47