by Daniel Peck, Research Scientist
Well, it's been almost a week since we launched the Barracuda Bug Bounty Program and we've learned some lessons:
First – security researchers aren't very good at following directions. This is completely understandable. After all, mostresearchers have gotten to be where they are by breaking rules. With that said we had to turn down three bug reports from two separateresearchers. One reporting some XSS bugs on our corporate website whichwas out of scope and the second reporting a few post auth non persistentXSS bugs in the appliances that were in scope, however theresearcher used Barracuda demo servers to run his tests and find the bugs,that too is a ‘No no’ according to the rules.
Second – not everyone is a fan of the program. There was a lot of positive feedback from the security community and from the press, but as with any new initiative, there have been a few nay-sayers. One complaint contended that by offering to pay for bugs Barracuda Networks’ products and our customers are more likely to be targeted by the bad guys. We’d like to think that the exact opposite of that would be true. There’s more than 100,000 Barracuda products deployed globally, and there’s a good chance that a good majority of those units are being audited on a daily basis both internally and externally auditors by both good and bad sources. So we are taking the position that we should reward the ‘good guys’ who find and disclose the vulnerabilities responsibly, giving us as a chance to eliminate any potential bugs before the bad guys do.
Third – folks like reporting lower quality bugs for a quick buck. You know who you are and we’re not the only ones who have noticed. I won't argue that reflective XSS bugs aren't a problem – clearly input isn't being validated that needs to be – but putting it on the same level as a persistent XSS bug or a remotely exploitable memory corruption bug would be foolish. As such, if you find one of those bugs in one of our products, we'll give you a big ‘Thank you!’ pat-on-the-back. Heck, I’ll even personally buy you a drink at the next security conference, but no, you won't be getting paid for it.
Overall, the first week has been a learning experience, for us and hopefully for the research community and the security industry as a whole. We'll keep you posted on the results of the program as time goes by. Until then, happy bug hunting.