被“白帽黑客”吐槽,漏洞賞金被質(zhì)疑是“作秀”
David Z. Morris
2020-04-05
圖片來(lái)源:Getty Images
2月,,三位麻省理工大學(xué)網(wǎng)絡(luò)安全研究員稱,他們發(fā)現(xiàn)在線投票應(yīng)用Voatz存在重大安全漏洞,。Voatz提供了“漏洞賞金”,,這筆獎(jiǎng)金用于獎(jiǎng)勵(lì)任何發(fā)現(xiàn)并報(bào)告其軟件安全漏洞的人士。Voatz希望借此鼓勵(lì)獨(dú)立“白帽黑客”來(lái)鞏固其服務(wù)的安全性,。(注:白帽黑客指用自己的黑客技術(shù)來(lái)維護(hù)網(wǎng)絡(luò)關(guān)系公平正義的網(wǎng)絡(luò)安全研究人員,,通過(guò)測(cè)試網(wǎng)絡(luò)和系統(tǒng)的性能來(lái)判定它們能夠承受入侵的強(qiáng)弱程度。)
但麻省理工大學(xué)團(tuán)隊(duì)迅速發(fā)現(xiàn),,獎(jiǎng)金的設(shè)置本身就存在漏洞,。Voatz的漏洞賞金條款由Voatz制定,由漏洞報(bào)告平臺(tái)HackerOne管理,。該條款稱,安全研究人員不能測(cè)試Voatz應(yīng)用自身,,而是必須使用應(yīng)用的副本,,但據(jù)稱該副本無(wú)法正常運(yùn)行。麻省理工大學(xué)團(tuán)隊(duì)成員邁克·斯佩克特稱,,該條款會(huì)威脅到研究的有效性,。此外,該獎(jiǎng)金還不適用于報(bào)告某種類(lèi)型的攻擊,,安全研究人員稱這項(xiàng)限制并未反映真實(shí)世界的狀況,。
盡管漏洞賞金在近些年來(lái)已成為公司網(wǎng)絡(luò)安全工具包中越發(fā)流行的一個(gè)組件,但其構(gòu)建和管理方式為安全研究人員帶來(lái)了一系列問(wèn)題,。評(píng)論人士稱,,這些項(xiàng)目,尤其是通過(guò)HackerOne與Bugcrowd這樣中間平臺(tái)運(yùn)營(yíng)的項(xiàng)目,,通常會(huì)限制安全研究人員的研究范圍及分享成果的能力,。他們稱,這些缺陷最終可能讓重要軟件更容易受到“黑帽黑客”,,即惡意黑客的襲擊,。
HackerOne前任高管凱蒂·毛蘇利斯曾幫助微軟創(chuàng)建了一個(gè)賞金項(xiàng)目,并在公共場(chǎng)合呼吁關(guān)注上述問(wèn)題。在2月RSA安全會(huì)議的主旨演講中,,持有HackerOne大量股票的毛蘇利斯表示,,以其當(dāng)前的形式來(lái)看,很多漏洞賞金項(xiàng)目都是膚淺的“安全作秀”,,這意味著它們的主要目的是幫助美化公司形象,,而不是讓軟件變得更安全。
漏洞賞金服務(wù)提供商的領(lǐng)導(dǎo)者并不贊同這一看法,,在賞金項(xiàng)目方面設(shè)限,,至少是暫時(shí)性的限制,是為了實(shí)現(xiàn)一個(gè)更宏大的目標(biāo):安全研究人員的理想信念是追求完全的透明,,但處于資源和聲譽(yù)危機(jī)中的公司有自己的苦衷,,兩者之間需要找到一個(gè)平衡點(diǎn)。
HackerOne首席技術(shù)官亞里克斯·萊斯說(shuō):“漏洞賞金項(xiàng)目在發(fā)現(xiàn)漏洞方面異常成功,。讓公司與[外部]安全研究人員合作是最為重要的一步,。”
“封口費(fèi)”
有關(guān)Voatz漏洞賞金的爭(zhēng)議并非是個(gè)例,。在近期涉及PayPal,、流媒體平臺(tái)奈飛、無(wú)人機(jī)制造商大疆和視頻會(huì)議軟件Zoom的安全漏洞中,,通過(guò)賞金項(xiàng)目報(bào)告漏洞的安全研究人員發(fā)現(xiàn)自己陷入了程序性或合約迷局,,其中的一些簡(jiǎn)直就是卡夫卡風(fēng)格的再現(xiàn)。
特別值得一提的是,,限制研究人員的保密條款通常來(lái)自于由HackerOne和 Bugcrowd運(yùn)營(yíng)的獎(jiǎng)金項(xiàng)目,。為了向一些公共獎(jiǎng)金項(xiàng)目提交報(bào)告,研究人員必須同意限制公開(kāi)討論其發(fā)現(xiàn)的協(xié)議,。評(píng)論人士稱,,通過(guò)限制公眾了解可能的安全漏洞,保密條款會(huì)讓單個(gè)公司受益,,但卻限制了網(wǎng)絡(luò)安全更全面的進(jìn)步,。
評(píng)論人士指出,當(dāng)安全性能研究員根據(jù)合約進(jìn)行“滲透測(cè)試”時(shí),,保密條款是合理的,。但如果將其用于公共報(bào)告,這些條款似乎破壞了一條廣為認(rèn)可的實(shí)踐準(zhǔn)則,,也就是網(wǎng)絡(luò)安全研究人員所稱的“漏洞協(xié)同披露”準(zhǔn)則,。
協(xié)同披露理念的核心在于時(shí)限。如果某個(gè)漏洞得到了報(bào)告,,但沒(méi)有在合理的時(shí)間框架內(nèi)(通常30-90天)被修復(fù),,那么黑客公開(kāi)披露這一漏洞的行為通常被認(rèn)為是道德的,。這一準(zhǔn)則源于上個(gè)世紀(jì)90年代,當(dāng)時(shí),,獨(dú)立安全研究員發(fā)現(xiàn)一些公司甚至不愿承認(rèn)他們所報(bào)出的危險(xiǎn)漏洞,。公開(kāi)發(fā)布漏洞將促使各大企業(yè)迅速修復(fù)其漏洞。
在漏洞得到修復(fù)后,,對(duì)漏洞的公開(kāi)討論有助于編程人員修復(fù)或預(yù)防其他領(lǐng)域的類(lèi)似漏洞,。正如網(wǎng)絡(luò)安全分析師凱倫?伊拉扎利所說(shuō)的那樣,這種公開(kāi)對(duì)話有助于讓白帽黑客成為“互聯(lián)網(wǎng)免疫系統(tǒng)”,。安全公司Veracode對(duì)網(wǎng)絡(luò)安全專(zhuān)業(yè)人士的近期調(diào)查顯示,,90%的受調(diào)對(duì)象認(rèn)為公開(kāi)披露漏洞是一項(xiàng)可以改善整體網(wǎng)絡(luò)安全的“公益事業(yè)”。
Veracode首席技術(shù)官,、協(xié)同披露的先驅(qū)克里斯?威索帕爾擔(dān)心,,漏洞賞金的出現(xiàn)正在影響安全研究員之間的知識(shí)共享。近期發(fā)生的案例便成為了這一擔(dān)憂的真實(shí)寫(xiě)照,。
例如,,當(dāng)約翰遜?雷斯楚去年發(fā)現(xiàn)視頻會(huì)議軟件Zoom的一個(gè)嚴(yán)重漏洞時(shí),他想到了協(xié)同披露準(zhǔn)則,。最終,,雷斯楚并未選擇Zoom通過(guò)Bugcrowd提供的漏洞賞金,因?yàn)楸C軛l款會(huì)禁止他討論其發(fā)現(xiàn),。他說(shuō),,這個(gè)漏洞能夠得以修復(fù)的唯一原因在于,他最終能夠公開(kāi)發(fā)布這個(gè)漏洞,。
雷斯楚表示:“[Zoom]的第一反應(yīng)是,,這并不是一個(gè)漏洞。在媒體對(duì)其施加壓力24小時(shí)之后,,他們承認(rèn),好吧,,這是一個(gè)漏洞,。”雷斯楚如今認(rèn)為,,漏洞賞金中的保密條款相當(dāng)于“研究人員的封口費(fèi)”,。Zoom拒絕對(duì)此事置評(píng)。
Bugcrowd聯(lián)合創(chuàng)始人兼首席技術(shù)官凱西?埃利斯稱,,他的公司鼓勵(lì)其客戶放寬其披露條款,,并敦促其客戶盡可能地減少限制。HackerOne的萊斯說(shuō),,他對(duì)很多案例的披露表示支持,,但現(xiàn)有的披露標(biāo)準(zhǔn)可能并非是它們所標(biāo)榜的那么完美,。他承認(rèn),在Zoom案例中,,“披露有著明顯的益處”,,但他還表示,公眾和媒體通常對(duì)披露存在誤解,。
萊斯向《財(cái)富》透露:“我無(wú)法確定公開(kāi)發(fā)布一系列未經(jīng)驗(yàn)證的安全漏洞能為用戶帶來(lái)什么好處,。”
保密游戲
即便某個(gè)漏洞屬于“超出范圍之外”的漏洞(也就是一般來(lái)講不被看作是威脅,,因此無(wú)需修復(fù)),,漏洞賞金項(xiàng)目中的保密條款通常似乎依然有效。但什么才算是“有效”的漏洞這個(gè)根本問(wèn)題則涉及毛蘇利斯最痛恨的一個(gè)現(xiàn)象,。
例如,,PayPal和 Netflix近期漏洞被評(píng)估漏洞賞金申報(bào)的員工判定為“超出范圍之外”。但賞金項(xiàng)目的條款(PayPal通過(guò)HackerOne發(fā)布,,奈飛則通過(guò)Bugcrowd發(fā)布)均限制研究人員公開(kāi)討論他們發(fā)現(xiàn)的漏洞,。
發(fā)現(xiàn)的這兩個(gè)漏洞最終在未經(jīng)許可的情況下公之于眾。盡管萊斯稱HackerOne允許研究人員通過(guò)索取許可來(lái)發(fā)布這類(lèi)漏洞,,但報(bào)告PayPal漏洞的研究人員并未獲得披露許可,。
在奈飛的漏洞案例中,一位Bugcrowd員工警告研究人員違反了平臺(tái)的條款,,因?yàn)檠芯咳藛T在這些漏洞被判定為沒(méi)有資格獲得賞金后,,于推特上發(fā)布了漏洞消息。Bugcrowd在一份聲明中表示,,“重要的一點(diǎn)在于,,只有在研究人員與客戶的項(xiàng)目所有者進(jìn)行討論,并就披露時(shí)限達(dá)成一致意見(jiàn)之后,,才能進(jìn)行披露,。”在研究人員違反披露限制的案例中,,Bugcrowd會(huì)與“研究人員溝通,,從公共論壇中刪除這一信息,來(lái)保護(hù)研究人員和客戶,?!?/p>
然而,Voatz案例則生動(dòng)地展現(xiàn)了根植于眾多漏洞賞金項(xiàng)目的不透明性所帶來(lái)的風(fēng)險(xiǎn),。由于Voatz被視為一個(gè)重要的選舉軟件,,麻省理工大學(xué)團(tuán)隊(duì)最終通過(guò)美國(guó)政府的網(wǎng)絡(luò)安全和基礎(chǔ)設(shè)施安全局通報(bào)了自己的發(fā)現(xiàn),而不是通過(guò)HackerOne,。
Voatz并不贊同該團(tuán)隊(duì)的發(fā)現(xiàn),,并控訴研究人員的行為屬于背信棄義,。Voatz首席執(zhí)行官尼米特?蘇尼認(rèn)為,麻省理工大學(xué)研究人員的動(dòng)機(jī)在于“制作丑聞”,,是一個(gè)“有組織的運(yùn)動(dòng)”的一部分,,后者的“主要目的是阻止所有互聯(lián)網(wǎng)投票活動(dòng)?!彼古蹇颂貏t贊同其團(tuán)隊(duì)向媒體披露這一事件的行為,,“因?yàn)樵谙蚬娗逦?zhǔn)確地傳播信息方面,,媒體往往是最合適的機(jī)構(gòu),。”
3月初,,西弗吉尼亞州發(fā)現(xiàn),,麻省理工大學(xué)研究人員的主張有足夠的依據(jù),因此州政府決定在5月的大選中使用另一個(gè)系統(tǒng),。在3月13日,,一家獨(dú)立研究團(tuán)體發(fā)表了第二篇報(bào)告,證實(shí)了麻省理工大學(xué)團(tuán)隊(duì)的諸多主張,,并發(fā)現(xiàn)了新的問(wèn)題,。Cyberscoop稱,該報(bào)告提到了通過(guò)Voatz的HackerOne賞金項(xiàng)目提交的重大漏洞,,但被該選舉應(yīng)用劃分為非重大漏洞,。
然后在3月30日周一,HackerOne宣布把Voatz踢出平臺(tái),,這是公司第一次采取這一激進(jìn)舉措,。此舉明顯是針對(duì)Voatz對(duì)麻省理工大學(xué)研究人員響應(yīng)的回應(yīng),包括一些后續(xù)調(diào)整,,以取消禁止黑客測(cè)試其應(yīng)用的法律保護(hù)傘,。
Voatz首席執(zhí)行官蘇尼將HackerOne的舉措定性為“共同決定”,但這家對(duì)漏洞進(jìn)行懸賞的公司拒絕接受這一定性,?!拔覀円恢痹谧巫尾痪氲嘏囵B(yǎng)安全團(tuán)隊(duì)與研究人員團(tuán)體之間互利互惠的關(guān)系。[Voat賞金項(xiàng)目]最終并沒(méi)有遵守我們的合作,,而且對(duì)于任何一方來(lái)說(shuō)都沒(méi)有什么成效?!?/p>
所有這一切頗具諷刺意味,,如果麻省理工大學(xué)團(tuán)隊(duì)并未繞過(guò)HackerOne的保密條款,也沒(méi)有將其發(fā)現(xiàn)報(bào)告給聯(lián)邦政府,,那么Voatz應(yīng)用的漏洞可能永遠(yuǎn)都無(wú)法為人所知,。
“每一次都亂得要命”
HackerOne和Bugcrowd都會(huì)從推銷(xiāo)賞金項(xiàng)目中獲得收益,,同時(shí)還能減少客戶的麻煩。HackerOne自2012年成立以來(lái)已經(jīng)籌集1.1億美元的風(fēng)投資本,,其服務(wù)的賞金項(xiàng)目客戶包括任天堂,、星巴克和Slack。提供類(lèi)似服務(wù)的Bugcrowd則籌集了略高于5000萬(wàn)美元的資金,,其客戶包括Fitbit,,惠普和摩托羅拉。
但安全資深人士擔(dān)心,,在大行其道的賞金項(xiàng)目之前,,更為有效的軟件安全改善途徑會(huì)變得黯淡無(wú)光。
大衛(wèi)?歐騰海默曾在MongoDB和EMC公司擔(dān)任安全高管職務(wù),,如今負(fù)責(zé)戴爾的安全業(yè)務(wù),。他認(rèn)為賞金項(xiàng)目對(duì)于嚴(yán)重的網(wǎng)絡(luò)安全來(lái)說(shuō)沒(méi)有必要,而且他稱自己在公司沒(méi)有經(jīng)營(yíng)賞金項(xiàng)目的情況下一直從獨(dú)立研究人員那里獲得高質(zhì)量的漏洞報(bào)告,。歐騰海默說(shuō):“要啟用最好的研究人員確實(shí)需要花錢(qián),,但他們的主要目的都是為了讓這個(gè)世界變得更加美好?!?/p>
Veracode開(kāi)展的一項(xiàng)調(diào)查證實(shí)了這一觀點(diǎn),。在反饋的機(jī)構(gòu)中,有47%稱自己設(shè)立了賞金項(xiàng)目,,但平均來(lái)看,,僅有19%的漏洞通報(bào)來(lái)自于這些項(xiàng)目。同時(shí),,在通報(bào)過(guò)漏洞的受調(diào)對(duì)象中,,有57%稱自己希望能夠就報(bào)告與對(duì)方溝通,僅有18%希望對(duì)方付錢(qián),。
發(fā)現(xiàn)Voatz漏洞的麻省理工大學(xué)研究人員對(duì)這一觀點(diǎn)表示贊同,。斯佩克特說(shuō):“我們感興趣的是,他們會(huì)對(duì)我們找到的漏洞作何反應(yīng),。我們對(duì)錢(qián)完全不感興趣,。”
Veracode的威索帕爾認(rèn)為,,賞金項(xiàng)目平臺(tái)所傳達(dá)的信息為人們帶來(lái)了困惑,。他說(shuō):“他們崇尚的[理念]在于,在鞏固軟件安全性方面,,眾包是最好,、最高效的方式。但如果你算一算經(jīng)濟(jì)賬,,像谷歌和Facebook這樣的公司會(huì)將賞金項(xiàng)目看作是一種補(bǔ)充,、后備或錦上添花的舉措,。”
他說(shuō):“關(guān)鍵在于,,讓那些訓(xùn)練有素的開(kāi)發(fā)員獲得打造安全軟件的正確工具,。”
萊斯認(rèn)為,,HackerOne的使命就是宣傳賞金項(xiàng)目的益處,,哪怕在透明度和披露這類(lèi)原則性問(wèn)題上做出些許讓步也無(wú)關(guān)緊要。
萊斯說(shuō):“對(duì)于一個(gè)機(jī)構(gòu)和一個(gè)傳播團(tuán)隊(duì)來(lái)說(shuō),,[披露]工作量有多大,,這一點(diǎn)我不能去夸大。每一次都亂得要命……有的客戶簽署了公眾監(jiān)察協(xié)議,,也有客戶不愿簽,。”
但歐騰海默稱,,這正是問(wèn)題的結(jié)癥所在:各大公司希望賞金項(xiàng)目得到好評(píng),,但對(duì)項(xiàng)目本應(yīng)具有的透明度視而不見(jiàn)。他說(shuō),,“這是選擇性的失明,。”
歐騰海默指出,,賞金項(xiàng)目未能發(fā)現(xiàn)漏洞,,但該漏洞卻直接成了新聞?lì)^條,這可謂網(wǎng)絡(luò)安全史上最嚴(yán)重的災(zāi)難,。他說(shuō):“他們讓雅虎在預(yù)算中增加了200萬(wàn)美元的賞金,,但[當(dāng)年晚些時(shí)候]有30億客戶的數(shù)據(jù)遭到了泄露?!?/p>
“新聞稱,,‘看看他們的作用,花了200萬(wàn)美元’,,但對(duì)安全性一點(diǎn)幫助都沒(méi)有,。”(財(cái)富中文網(wǎng))
譯者:Feb
2月,,三位麻省理工大學(xué)網(wǎng)絡(luò)安全研究員稱,,他們發(fā)現(xiàn)在線投票應(yīng)用Voatz存在重大安全漏洞。Voatz提供了“漏洞賞金”,,這筆獎(jiǎng)金用于獎(jiǎng)勵(lì)任何發(fā)現(xiàn)并報(bào)告其軟件安全漏洞的人士,。Voatz希望借此鼓勵(lì)獨(dú)立“白帽黑客”來(lái)鞏固其服務(wù)的安全性。(注:白帽黑客指用自己的黑客技術(shù)來(lái)維護(hù)網(wǎng)絡(luò)關(guān)系公平正義的網(wǎng)絡(luò)安全研究人員,通過(guò)測(cè)試網(wǎng)絡(luò)和系統(tǒng)的性能來(lái)判定它們能夠承受入侵的強(qiáng)弱程度,。)
但麻省理工大學(xué)團(tuán)隊(duì)迅速發(fā)現(xiàn),獎(jiǎng)金的設(shè)置本身就存在漏洞,。Voatz的漏洞賞金條款由Voatz制定,,由漏洞報(bào)告平臺(tái)HackerOne管理。該條款稱,,安全研究人員不能測(cè)試Voatz應(yīng)用自身,,而是必須使用應(yīng)用的副本,但據(jù)稱該副本無(wú)法正常運(yùn)行,。麻省理工大學(xué)團(tuán)隊(duì)成員邁克·斯佩克特稱,,該條款會(huì)威脅到研究的有效性。此外,,該獎(jiǎng)金還不適用于報(bào)告某種類(lèi)型的攻擊,,安全研究人員稱這項(xiàng)限制并未反映真實(shí)世界的狀況。
盡管漏洞賞金在近些年來(lái)已成為公司網(wǎng)絡(luò)安全工具包中越發(fā)流行的一個(gè)組件,,但其構(gòu)建和管理方式為安全研究人員帶來(lái)了一系列問(wèn)題,。評(píng)論人士稱,這些項(xiàng)目,,尤其是通過(guò)HackerOne與Bugcrowd這樣中間平臺(tái)運(yùn)營(yíng)的項(xiàng)目,,通常會(huì)限制安全研究人員的研究范圍及分享成果的能力。他們稱,,這些缺陷最終可能讓重要軟件更容易受到“黑帽黑客”,,即惡意黑客的襲擊。
HackerOne前任高管凱蒂·毛蘇利斯曾幫助微軟創(chuàng)建了一個(gè)賞金項(xiàng)目,,并在公共場(chǎng)合呼吁關(guān)注上述問(wèn)題,。在2月RSA安全會(huì)議的主旨演講中,持有HackerOne大量股票的毛蘇利斯表示,,以其當(dāng)前的形式來(lái)看,,很多漏洞賞金項(xiàng)目都是膚淺的“安全作秀”,這意味著它們的主要目的是幫助美化公司形象,,而不是讓軟件變得更安全,。
漏洞賞金服務(wù)提供商的領(lǐng)導(dǎo)者并不贊同這一看法,在賞金項(xiàng)目方面設(shè)限,,至少是暫時(shí)性的限制,,是為了實(shí)現(xiàn)一個(gè)更宏大的目標(biāo):安全研究人員的理想信念是追求完全的透明,但處于資源和聲譽(yù)危機(jī)中的公司有自己的苦衷,,兩者之間需要找到一個(gè)平衡點(diǎn),。
HackerOne首席技術(shù)官亞里克斯·萊斯說(shuō):“漏洞賞金項(xiàng)目在發(fā)現(xiàn)漏洞方面異常成功。讓公司與[外部]安全研究人員合作是最為重要的一步?!?/p>
“封口費(fèi)”
有關(guān)Voatz漏洞賞金的爭(zhēng)議并非是個(gè)例,。在近期涉及PayPal、流媒體平臺(tái)奈飛,、無(wú)人機(jī)制造商大疆和視頻會(huì)議軟件Zoom的安全漏洞中,,通過(guò)賞金項(xiàng)目報(bào)告漏洞的安全研究人員發(fā)現(xiàn)自己陷入了程序性或合約迷局,其中的一些簡(jiǎn)直就是卡夫卡風(fēng)格的再現(xiàn),。
特別值得一提的是,,限制研究人員的保密條款通常來(lái)自于由HackerOne和 Bugcrowd運(yùn)營(yíng)的獎(jiǎng)金項(xiàng)目。為了向一些公共獎(jiǎng)金項(xiàng)目提交報(bào)告,,研究人員必須同意限制公開(kāi)討論其發(fā)現(xiàn)的協(xié)議,。評(píng)論人士稱,通過(guò)限制公眾了解可能的安全漏洞,,保密條款會(huì)讓單個(gè)公司受益,,但卻限制了網(wǎng)絡(luò)安全更全面的進(jìn)步。
評(píng)論人士指出,,當(dāng)安全性能研究員根據(jù)合約進(jìn)行“滲透測(cè)試”時(shí),,保密條款是合理的。但如果將其用于公共報(bào)告,,這些條款似乎破壞了一條廣為認(rèn)可的實(shí)踐準(zhǔn)則,,也就是網(wǎng)絡(luò)安全研究人員所稱的“漏洞協(xié)同披露”準(zhǔn)則。
協(xié)同披露理念的核心在于時(shí)限,。如果某個(gè)漏洞得到了報(bào)告,,但沒(méi)有在合理的時(shí)間框架內(nèi)(通常30-90天)被修復(fù),那么黑客公開(kāi)披露這一漏洞的行為通常被認(rèn)為是道德的,。這一準(zhǔn)則源于上個(gè)世紀(jì)90年代,,當(dāng)時(shí),獨(dú)立安全研究員發(fā)現(xiàn)一些公司甚至不愿承認(rèn)他們所報(bào)出的危險(xiǎn)漏洞,。公開(kāi)發(fā)布漏洞將促使各大企業(yè)迅速修復(fù)其漏洞,。
在漏洞得到修復(fù)后,對(duì)漏洞的公開(kāi)討論有助于編程人員修復(fù)或預(yù)防其他領(lǐng)域的類(lèi)似漏洞,。正如網(wǎng)絡(luò)安全分析師凱倫?伊拉扎利所說(shuō)的那樣,,這種公開(kāi)對(duì)話有助于讓白帽黑客成為“互聯(lián)網(wǎng)免疫系統(tǒng)”。安全公司Veracode對(duì)網(wǎng)絡(luò)安全專(zhuān)業(yè)人士的近期調(diào)查顯示,,90%的受調(diào)對(duì)象認(rèn)為公開(kāi)披露漏洞是一項(xiàng)可以改善整體網(wǎng)絡(luò)安全的“公益事業(yè)”,。
Veracode首席技術(shù)官、協(xié)同披露的先驅(qū)克里斯?威索帕爾擔(dān)心,,漏洞賞金的出現(xiàn)正在影響安全研究員之間的知識(shí)共享,。近期發(fā)生的案例便成為了這一擔(dān)憂的真實(shí)寫(xiě)照,。
例如,當(dāng)約翰遜?雷斯楚去年發(fā)現(xiàn)視頻會(huì)議軟件Zoom的一個(gè)嚴(yán)重漏洞時(shí),,他想到了協(xié)同披露準(zhǔn)則,。最終,雷斯楚并未選擇Zoom通過(guò)Bugcrowd提供的漏洞賞金,,因?yàn)楸C軛l款會(huì)禁止他討論其發(fā)現(xiàn),。他說(shuō),這個(gè)漏洞能夠得以修復(fù)的唯一原因在于,,他最終能夠公開(kāi)發(fā)布這個(gè)漏洞。
雷斯楚表示:“[Zoom]的第一反應(yīng)是,,這并不是一個(gè)漏洞,。在媒體對(duì)其施加壓力24小時(shí)之后,他們承認(rèn),,好吧,,這是一個(gè)漏洞?!崩姿钩缃裾J(rèn)為,,漏洞賞金中的保密條款相當(dāng)于“研究人員的封口費(fèi)”。Zoom拒絕對(duì)此事置評(píng),。
Bugcrowd聯(lián)合創(chuàng)始人兼首席技術(shù)官凱西?埃利斯稱,,他的公司鼓勵(lì)其客戶放寬其披露條款,并敦促其客戶盡可能地減少限制,。HackerOne的萊斯說(shuō),,他對(duì)很多案例的披露表示支持,但現(xiàn)有的披露標(biāo)準(zhǔn)可能并非是它們所標(biāo)榜的那么完美,。他承認(rèn),,在Zoom案例中,“披露有著明顯的益處”,,但他還表示,,公眾和媒體通常對(duì)披露存在誤解。
萊斯向《財(cái)富》透露:“我無(wú)法確定公開(kāi)發(fā)布一系列未經(jīng)驗(yàn)證的安全漏洞能為用戶帶來(lái)什么好處,?!?/p>
保密游戲
即便某個(gè)漏洞屬于“超出范圍之外”的漏洞(也就是一般來(lái)講不被看作是威脅,因此無(wú)需修復(fù)),,漏洞賞金項(xiàng)目中的保密條款通常似乎依然有效,。但什么才算是“有效”的漏洞這個(gè)根本問(wèn)題則涉及毛蘇利斯最痛恨的一個(gè)現(xiàn)象。
例如,,PayPal和 Netflix近期漏洞被評(píng)估漏洞賞金申報(bào)的員工判定為“超出范圍之外”,。但賞金項(xiàng)目的條款(PayPal通過(guò)HackerOne發(fā)布,奈飛則通過(guò)Bugcrowd發(fā)布)均限制研究人員公開(kāi)討論他們發(fā)現(xiàn)的漏洞。
發(fā)現(xiàn)的這兩個(gè)漏洞最終在未經(jīng)許可的情況下公之于眾,。盡管萊斯稱HackerOne允許研究人員通過(guò)索取許可來(lái)發(fā)布這類(lèi)漏洞,,但報(bào)告PayPal漏洞的研究人員并未獲得披露許可。
在奈飛的漏洞案例中,,一位Bugcrowd員工警告研究人員違反了平臺(tái)的條款,,因?yàn)檠芯咳藛T在這些漏洞被判定為沒(méi)有資格獲得賞金后,于推特上發(fā)布了漏洞消息,。Bugcrowd在一份聲明中表示,,“重要的一點(diǎn)在于,只有在研究人員與客戶的項(xiàng)目所有者進(jìn)行討論,,并就披露時(shí)限達(dá)成一致意見(jiàn)之后,,才能進(jìn)行披露?!痹谘芯咳藛T違反披露限制的案例中,,Bugcrowd會(huì)與“研究人員溝通,從公共論壇中刪除這一信息,,來(lái)保護(hù)研究人員和客戶,。”
然而,,Voatz案例則生動(dòng)地展現(xiàn)了根植于眾多漏洞賞金項(xiàng)目的不透明性所帶來(lái)的風(fēng)險(xiǎn),。由于Voatz被視為一個(gè)重要的選舉軟件,麻省理工大學(xué)團(tuán)隊(duì)最終通過(guò)美國(guó)政府的網(wǎng)絡(luò)安全和基礎(chǔ)設(shè)施安全局通報(bào)了自己的發(fā)現(xiàn),,而不是通過(guò)HackerOne,。
Voatz并不贊同該團(tuán)隊(duì)的發(fā)現(xiàn),并控訴研究人員的行為屬于背信棄義,。Voatz首席執(zhí)行官尼米特?蘇尼認(rèn)為,,麻省理工大學(xué)研究人員的動(dòng)機(jī)在于“制作丑聞”,是一個(gè)“有組織的運(yùn)動(dòng)”的一部分,,后者的“主要目的是阻止所有互聯(lián)網(wǎng)投票活動(dòng),。”斯佩克特則贊同其團(tuán)隊(duì)向媒體披露這一事件的行為,,“因?yàn)樵谙蚬娗逦?、?zhǔn)確地傳播信息方面,媒體往往是最合適的機(jī)構(gòu),?!?/p>
3月初,西弗吉尼亞州發(fā)現(xiàn),,麻省理工大學(xué)研究人員的主張有足夠的依據(jù),,因此州政府決定在5月的大選中使用另一個(gè)系統(tǒng),。在3月13日,一家獨(dú)立研究團(tuán)體發(fā)表了第二篇報(bào)告,,證實(shí)了麻省理工大學(xué)團(tuán)隊(duì)的諸多主張,,并發(fā)現(xiàn)了新的問(wèn)題。Cyberscoop稱,,該報(bào)告提到了通過(guò)Voatz的HackerOne賞金項(xiàng)目提交的重大漏洞,,但被該選舉應(yīng)用劃分為非重大漏洞。
然后在3月30日周一,,HackerOne宣布把Voatz踢出平臺(tái),,這是公司第一次采取這一激進(jìn)舉措。此舉明顯是針對(duì)Voatz對(duì)麻省理工大學(xué)研究人員響應(yīng)的回應(yīng),,包括一些后續(xù)調(diào)整,,以取消禁止黑客測(cè)試其應(yīng)用的法律保護(hù)傘。
Voatz首席執(zhí)行官蘇尼將HackerOne的舉措定性為“共同決定”,,但這家對(duì)漏洞進(jìn)行懸賞的公司拒絕接受這一定性?!拔覀円恢痹谧巫尾痪氲嘏囵B(yǎng)安全團(tuán)隊(duì)與研究人員團(tuán)體之間互利互惠的關(guān)系,。[Voat賞金項(xiàng)目]最終并沒(méi)有遵守我們的合作,而且對(duì)于任何一方來(lái)說(shuō)都沒(méi)有什么成效,?!?/p>
所有這一切頗具諷刺意味,如果麻省理工大學(xué)團(tuán)隊(duì)并未繞過(guò)HackerOne的保密條款,,也沒(méi)有將其發(fā)現(xiàn)報(bào)告給聯(lián)邦政府,,那么Voatz應(yīng)用的漏洞可能永遠(yuǎn)都無(wú)法為人所知。
“每一次都亂得要命”
HackerOne和Bugcrowd都會(huì)從推銷(xiāo)賞金項(xiàng)目中獲得收益,,同時(shí)還能減少客戶的麻煩,。HackerOne自2012年成立以來(lái)已經(jīng)籌集1.1億美元的風(fēng)投資本,其服務(wù)的賞金項(xiàng)目客戶包括任天堂,、星巴克和Slack,。提供類(lèi)似服務(wù)的Bugcrowd則籌集了略高于5000萬(wàn)美元的資金,其客戶包括Fitbit,,惠普和摩托羅拉,。
但安全資深人士擔(dān)心,在大行其道的賞金項(xiàng)目之前,,更為有效的軟件安全改善途徑會(huì)變得黯淡無(wú)光,。
大衛(wèi)?歐騰海默曾在MongoDB和EMC公司擔(dān)任安全高管職務(wù),如今負(fù)責(zé)戴爾的安全業(yè)務(wù),。他認(rèn)為賞金項(xiàng)目對(duì)于嚴(yán)重的網(wǎng)絡(luò)安全來(lái)說(shuō)沒(méi)有必要,,而且他稱自己在公司沒(méi)有經(jīng)營(yíng)賞金項(xiàng)目的情況下一直從獨(dú)立研究人員那里獲得高質(zhì)量的漏洞報(bào)告,。歐騰海默說(shuō):“要啟用最好的研究人員確實(shí)需要花錢(qián),但他們的主要目的都是為了讓這個(gè)世界變得更加美好,?!?/p>
Veracode開(kāi)展的一項(xiàng)調(diào)查證實(shí)了這一觀點(diǎn)。在反饋的機(jī)構(gòu)中,,有47%稱自己設(shè)立了賞金項(xiàng)目,,但平均來(lái)看,僅有19%的漏洞通報(bào)來(lái)自于這些項(xiàng)目,。同時(shí),,在通報(bào)過(guò)漏洞的受調(diào)對(duì)象中,有57%稱自己希望能夠就報(bào)告與對(duì)方溝通,,僅有18%希望對(duì)方付錢(qián),。
發(fā)現(xiàn)Voatz漏洞的麻省理工大學(xué)研究人員對(duì)這一觀點(diǎn)表示贊同。斯佩克特說(shuō):“我們感興趣的是,,他們會(huì)對(duì)我們找到的漏洞作何反應(yīng),。我們對(duì)錢(qián)完全不感興趣?!?/p>
Veracode的威索帕爾認(rèn)為,,賞金項(xiàng)目平臺(tái)所傳達(dá)的信息為人們帶來(lái)了困惑。他說(shuō):“他們崇尚的[理念]在于,,在鞏固軟件安全性方面,,眾包是最好、最高效的方式,。但如果你算一算經(jīng)濟(jì)賬,,像谷歌和Facebook這樣的公司會(huì)將賞金項(xiàng)目看作是一種補(bǔ)充、后備或錦上添花的舉措,?!?/p>
他說(shuō):“關(guān)鍵在于,讓那些訓(xùn)練有素的開(kāi)發(fā)員獲得打造安全軟件的正確工具,?!?/p>
萊斯認(rèn)為,HackerOne的使命就是宣傳賞金項(xiàng)目的益處,,哪怕在透明度和披露這類(lèi)原則性問(wèn)題上做出些許讓步也無(wú)關(guān)緊要,。
萊斯說(shuō):“對(duì)于一個(gè)機(jī)構(gòu)和一個(gè)傳播團(tuán)隊(duì)來(lái)說(shuō),[披露]工作量有多大,,這一點(diǎn)我不能去夸大,。每一次都亂得要命……有的客戶簽署了公眾監(jiān)察協(xié)議,也有客戶不愿簽,?!?/p>
但歐騰海默稱,,這正是問(wèn)題的結(jié)癥所在:各大公司希望賞金項(xiàng)目得到好評(píng),但對(duì)項(xiàng)目本應(yīng)具有的透明度視而不見(jiàn),。他說(shuō),,“這是選擇性的失明?!?/p>
歐騰海默指出,,賞金項(xiàng)目未能發(fā)現(xiàn)漏洞,但該漏洞卻直接成了新聞?lì)^條,,這可謂網(wǎng)絡(luò)安全史上最嚴(yán)重的災(zāi)難,。他說(shuō):“他們讓雅虎在預(yù)算中增加了200萬(wàn)美元的賞金,但[當(dāng)年晚些時(shí)候]有30億客戶的數(shù)據(jù)遭到了泄露,?!?/p>
“新聞稱,‘看看他們的作用,,花了200萬(wàn)美元’,,但對(duì)安全性一點(diǎn)幫助都沒(méi)有?!保ㄘ?cái)富中文網(wǎng))
譯者:Feb
In February, three MIT cybersecurity researchers reported that they had found major security flaws in the online voting application Voatz. Offering what’s known as a “bug bounty”—a payment for anyone who discovers and reports a security hole in software—Voatz sought to encourage independent “white hat” hackers to shore up the security of its service.
But the MIT team quickly found the reward was an even bigger problem than the bug. The terms of the Voatz bug bounty, set by the company and administered through the bug reporting platform HackerOne, said researchers couldn’t test Voatz’s app itself. Instead they’d have to use a copy of the app, which the researchers said didn’t work properly. According to MIT team member Michael Specter, that would have been a threat to the validity of the research. The bounty also didn’t allow for reporting of certain kinds of attacks, a restriction the researchers argued didn’t reflect real-world conditions.
While bug bounties have become an increasingly popular part of companies’ cybersecurity toolkit in recent years, researchers have run into an array of problems with the way they are structured and managed. Critics say the programs, particularly those run with intermediaries like HackerOne and Bugcrowd, often limit the scope of researchers’ work and their ability to share findings. These shortcomings, they say, could ultimately leave important software more vulnerable to “black hats,” or malicious hackers.
Katie Moussouris, a former HackerOne executive who has also helped Microsoft start a bounty program, has publicly called attention to these issues. In a keynote address at the RSA security conference in February, Moussouris, who holds significant stock in HackerOne, said that in their current form many bug bounty programs are superficial “security Botox,” meaning they're better for helping companies to look good than they are for actually securing software.
The leaders of bug bounty services counter that putting guardrails around bounty programs, at least temporarily, serves the larger goal of balancing white-hat ideals of total transparency with the needs of companies whose resources and reputations are on the line.
“Bug bounty programs are amazingly successful at identifying vulnerabilities,” says HackerOne CTO Alex Rice. "Getting companies working with [external] security researchers is the most important step.”
“Buying researchers’ silence”
The controversy surrounding the Voatz bug bounty isn’t an isolated case. In recent incidents involving PayPal, streaming platform Netflix, drone maker DJI, and videoconferencing software Zoom, security researchers reporting bugs through bounty programs found themselves tangled in procedural or contractual runarounds—some of them downright Kafkaesque.
In particular, researchers have been galled by nondisclosure clauses that are often part of bounties run through HackerOne and Bugcrowd. In order to submit a report to some public bounties, researchers must agree to restrictions on discussing their findings publicly. In limiting public knowledge about possible security vulnerabilities, nondisclosure clauses benefit individual companies, critics say, at the expense of broader advances in cybersecurity.
Nondisclosure clauses can be appropriate when security researchers are hired to conduct “penetration testing” under contract, critics grant. But when applied to incoming reports from the public, the clauses appear to undermine a widely accepted practice among cybersecurity researchers known as “coordinated vulnerability disclosure.”
A ticking clock sits at the core of the concept of coordinated disclosure. If a bug has been reported but not fixed within a reasonable time frame—generally, between 30 and 90 days—it is generally considered ethical for a hacker to disclose a bug publicly. That norm originated in the 1990s, when independent security researchers found some companies wouldn’t even acknowledge their reports of dangerous bugs. The threat of releasing a hacking method publicly encouraged businesses to fix their vulnerabilities quickly.
After a bug is patched, publicly discussing it can help programmers to fix or prevent similar vulnerabilities elsewhere. As cybersecurity analyst Keren Elazari has put it, this public dialogue helps make white-hat hackers “the Internet’s immune system.” A recent survey of cybersecurity professionals by the security firm Veracode found that 90% regard public disclosure of vulnerabilities as a “public good” that improves cybersecurity overall.
Chris Wysopal, Veracode’s CTO and one of the pioneers of coordinated disclosure, worries that the rise of bug bounties is weakening that knowledge sharing among security researchers. Recent cases illustrate exactly how that is happening.
For example, when Jonathan Leitschuh discovered a serious vulnerability in the videoconferencing software Zoom last year, he had coordinated-disclosure norms in mind. Ultimately, Leitschuh chose not to pursue a bug bounty Zoom offered through Bugcrowd, because nondisclosure terms would have prevented him from talking about his findings. The bug was fixed only because he was eventually able to go public, he says.
“[Zoom’s] first response was, This is not a vulnerability,” Leitschuh says. “After 24 hours of having the media holding their feet to the fire, they admitted, Okay, it’s a vulnerability.” Leitschuh now thinks that nondisclosure clauses in bug bounties are equivalent to “buying researchers’ silence.” Zoom declined to comment for this story.
Casey Ellis, cofounder and CTO of Bugcrowd, says his company encourages its customers to be generous in their disclosure terms and pushes clients to minimize restrictions. Rice at HackerOne says he also supports disclosure in many cases, but also that existing disclosure standards may not be all they’re cracked up to be. He admits that in the Zoom case, there were “clear benefits to disclosure,” but says that the public and the press often misinterpret disclosures.
“I’m not sure what benefit users get from publishing a bunch of unvalidated security vulnerabilities,” Rice tells Fortune.
The nondisclosure dance
The nondisclosure terms of bug bounty programs often appear to remain in force even if a bug is deemed “out of scope”—broadly, something that’s not considered a threat and therefore won’t be fixed. But the fundamental question of what constitutes a “valid” bug speaks to one of Moussouris’s biggest critiques.
For instance, recent vulnerabilities at PayPal and Netflix were deemed “out of scope” by workers who reviewed bug bounty submissions. But the terms of the bounty programs—PayPal’s through HackerOne, Netflix’s via Bugcrowd—nonetheless restricted the researchers from publicly discussing the exploits they found.
Both findings were ultimately published without permission. Though Rice says HackerOne allows researchers to request permission to publish in such cases, the researchers who reported the PayPal vulnerability did not receive clearance to disclose.
With Netflix’s vulnerability, a Bugcrowd worker warned the researcher that he had violated the platform’s terms by tweeting about his findings after they were deemed out of scope for the bounty. In a statement, Bugcrowd said in part that “it’s important that the disclosure comes only after a discussion between the researcher and customer’s program owners so that both parties reach a mutually agreeable disclosure timeline.” In cases in which a researcher violates disclosure restrictions, Bugcrowd “work(s) with the researcher to remove this information from public forums to protect the researcher and customer.”
The Voatz case, however, has become a dramatic example of the risks of the opacity built into many bug bounties. Because Voatz is considered critical election software, the MIT team ultimately was able to report their discoveries through the U.S. government’s Cybersecurity and Infrastructure Security Agency, instead of through HackerOne.
Voatz disputed their findings and accused the researchers of acting in “bad faith.” Voatz CEO Nimit Sawhney alleges that the MIT researchers were motivated by an “urge to make a scandal” as part of a “coordinated campaign” whose “main goal is to stop any and all Internet voting.” Specter defends his group’s turning to the media “because they would be best situated to clearly and accurately communicate information to the public at large.”
By early March, West Virginia found the MIT researchers’ claims credible enough that the state decided that it will use a different system for its May primary. On March 13, an independent research group released a second report confirming many of the MIT group’s claims and finding additional issues. According to reporting by Cyberscoop, the report included critical vulnerabilities that had been submitted through Voatz’s HackerOne bounty but were classified as noncritical by the election app.
Then on Monday, March 30, HackerOne announced that it was removing Voatz from the platform, the first time it has taken that drastic action. The move was apparently a response to Voatz’s response to the MIT researchers, including subsequent changes to strip legal protections from hackers testing its app.
Voatz CEO Sawhney characterized HackerOne’s move as a “mutual decision,” but the bug bounty company declined to confirm this characterization. “We work tirelessly to foster a mutually beneficial relationship between security teams and the researcher community,” HackerOne said in a statement to Fortune. “[The Voatz bounty program] ultimately did not adhere to our partnership standards and was no longer productive for either party.”
The irony of all this is that if the MIT group hadn’t skirted HackerOne’s nondisclosure terms and reported its findings to the federal government, the flaws in Voatz’s app may never have come to light at all.
“Chaos, every single time”
Both HackerOne and Bugcrowd have a financial interest in touting the benefits of bounties, while making things easy on their customers. HackerOne, which administers programs for the likes of Nintendo, Starbucks, and Slack, has raised $110 million in venture capital since its 2012 founding. Bugcrowd, a similar service, has raised just over $50 million, and its clients include Fitbit, HP, and Motorola.
But security veterans worry that the fashion for bug bounties, including among major firms, is eclipsing more effective approaches to software security.
Davi Ottenheimer has held executive security roles at MongoDB and EMC, now part of Dell. He considers bug bounties unnecessary to serious cybersecurity, and he says he has consistently gotten good-quality bug reports from independent researchers without running formal bounty programs. “The best researchers, sure, they’ll take some money,” Ottenheimer says. “But mostly what they want is a better world.”
A survey by Veracode confirms that. While 47% of responding organizations said they had a bug bounty program, on average only 19% of their bug reports came through those programs. And while 57% of respondents who had reported a bug said they expected communication about their report, only 18% expected payment.
The MIT researchers who uncovered the Voatz bugs echo that sentiment. “We were interested in figuring out how well they’d respond to the bugs we found,” says Specter. “We weren’t interested in the money at all.”
Veracode’s Wysopal feels messaging from bug bounty platforms has contributed to confusion. “They lead with [the idea that] the crowdsourced way is the best and most efficient way to secure your software,” he says. “But if you look at the economics of it, firms like Google and Facebook look at bug bounties as an add-on, a backstop, icing on the cake.
“The cake is, Let’s have trained developers with the right tools building secure software,” he adds.
Rice considers it HackerOne’s mission to advocate for the benefits of bug bounties, even if that means being flexible on ideals like transparency and disclosure.
“I cannot overstate how much work [disclosure] is for an organization and a communications team,” he says. "It’s chaos every single time...We have customers who sign up for the public scrutiny,” Rice adds, “and those who would rather not.”
But Ottenheimer says that’s exactly the problem: Companies want the good press that comes with bug bounties but without the transparency these programs should entail. “It’s about optics,” he says.
Ottenheimer points out that headline-generating bug bounties failed to prevent one of the biggest disasters in cybersecurity history. “They added a $2 million bounty to the Yahoo budget,” he says. “Yet 3 billion accounts were compromised [later that year].
“The news said, ‘Look how great they are—they spent $2 million.’ But that doesn’t map to safety at all.”
財(cái)富中文網(wǎng)所刊載內(nèi)容之知識(shí)產(chǎn)權(quán)為財(cái)富媒體知識(shí)產(chǎn)權(quán)有限公司及/或相關(guān)權(quán)利人專(zhuān)屬所有或持有,。未經(jīng)許可,禁止進(jìn)行轉(zhuǎn)載,、摘編、復(fù)制及建立鏡像等任何使用,。
