Finding bugs in open source code


First let’s dispel the myth: Open source software is no less secure than closed software. However, once a vulnerability is found in an open source program, it tends to be much easier to arm and exploit than a vulnerability found in closed source code.

“The biggest risks with open source come from the fact that open source projects are often funded by a labor of love, led by people in their spare time,” said Casey Ellis, Founder and CTO of Bugcrowd, in an email interview. “It’s not uncommon for software run by two-thirds of a person and their cat to end up being something that underpins a significant part of the Internet.”

This creates two big risks, Ellis added. The first is that there is limited bandwidth to troubleshoot issues, which delays repair time and ultimately hampers the ability of the open source ecosystem to self-repair. The second, linked to the need for help, is the relative ease with which an adversary can subversively integrate his code into a project or even organize himself socially in a position where he is the “evil” assistant responsible for its maintenance.

All organizations rely more on open source. As a GitHub report stated, it has become nearly impossible to find a situation where data is not flowing through at least one open source component. And all industry verticals use open source code, which means that a vulnerability exploited could cause significant damage. Yet, according to GitHub, it takes an average of four years to discover a vulnerability in open source software.

Enter bug bounties

Four years is far too long for a vulnerability to go undiscovered, which is why more and more companies have introduced bug bounty programs. In the big tech world, Apple, Facebook, Microsoft, AWS, and Google all have programs that pay millions to successful security researchers and ethical hackers who uncover serious problems.

Another example is Clubhouse, the audio social networking app, which has just teamed up with HackerOne. “Clubhouse’s public bug bounty program will provide their internal security team with ongoing testing support from a diverse pool of talent through our global community of over one million hackers,” said Michiel Prins, co-founder of HackerOne.

The goal of this bug bounty program is to find and fix as many vulnerabilities as possible before they affect the company’s open source code.

Bug bounties are important for several reasons, Jake Williams, co-founder and CTO of BreachQuest, said in an email comment. First, they encourage more researchers to analyze the code and find vulnerabilities. Second, they encourage researchers to only publicly disclose these vulnerabilities once they have been patched, leading to a more secure cybersecurity landscape.

Start a Bug Bounty program

Bug bounty programs are good at identifying vulnerabilities (especially when source code is available), which is half the problem, Ellis says, but they can also attract security-conscious engineers with the ability to contribute open source patches to projects that need them. of that kind of help.

Anyone can run a bug bounty on their own, however, running a program is extremely complex. “Organizations that don’t have a good bug bounty implementation plan can face significant challenges, including damage to their reputation if they don’t fix reported vulnerabilities quickly enough,” Williams said. . “Any organization looking to implement a bug bounty program for the first time should hire a third party. “

In addition to funneling greater security control and aid into products that often power their own organizations, there are huge ecosystem benefits and some Internet protector prestige that come with funding projects that bring a benefit outside of the company writing the check, Ellis added. And it doesn’t matter who makes the discovery, even if it’s a threatening actor revealing the vulnerability.

Open source makes it pretty clear why the “black hat and white hat” designations are quickly becoming irrelevant to pure vulnerability management: comments from, Ellis pointed out.

“Ultimately, organizations cannot reliably control an opponent’s potential actions, but they can influence the difficulty for the attacker who will eventually present themselves. In this case, the information is what’s important, not where it came from, ”Ellis said.


Comments are closed.