What the Internet Bug Bounty Teaches About Open Source Software Security


The HackerOne security platform recently announced the latest version of its Internet Bug Bounty (IBB) program. The BWI strives to improve the security of open source software by pooling resources and encouraging security experts (they call themselves hackers) to find loopholes in open source software (OSS ).

Today, the program has introduced a new method of crowdfunding. This allows more organizations to use the BWI to secure open source needs in their software. Other program partners include Elastic, Facebook, Figma, GitHub, Shopify, and TikTok. These companies, like almost all digital brands, all rely on open source software.

The use of free software has exploded in recent times. What is the story and the motivation behind Bug Bounty? And what are the important OSS security issues to consider? Take a look at the risks of open source software and the latest efforts to mitigate them.

Why is open source software security important

Due to the increasing demand for rapid development and continuous iterations, developers are more often using open source frameworks and libraries. Everyone wants to speed up development cycles, and OSS works great for that.

Open source software helps reduce costs and time to market for new applications. Previously, developers could have written tons of custom code. Now they are leveraging OSS frameworks and libraries to find what they need to fit their projects.

Open source software is software that developers can inspect, copy, modify, and share. While vendors of proprietary software still hold a huge market share, the role of free software has grown significantly. These facts reveal:

  • Linux powered 75% of the public cloud workload in 2020
  • The very popular software development stacks LAMP (Linux, Apache, MySQL and PHP) and MEAN (MongoDB, Express.js, AngularJS and Node.js) are open source
  • About 85% of smartphones worldwide run Android, an open source operating system built on the Linux kernel.

Considering the widespread use of free software, all the associated risks are very important.

Where to find open source software security resources

Although there is no central OSS library, there are many online resources. You can check out GitHub’s OSS framework, Microsoft’s OSS Libraries – the C ++ team blog, or even the Netflix open source software center.

Meanwhile, you can also reference the OSINT framework which is organized by Justin nordine. OSINT stands for open source intelligence, which refers to any information that can be legally obtained from free public sources about an individual or organization. The framework provides links to a giant collection of OSINT tools and resources for different tasks. These can range from geolocation of IP addresses to vulnerability analysis for domain names.

How strong is OSS security?

You might think that open source security is less robust since the source code is public. Attackers know this too, and are constantly looking for ways to exploit security holes in open source software.

On the other hand, OSS enjoys the support of a huge and very active developer community. This means that people often update open source code faster than proprietary software. OSS developers are always busy making software more efficient, secure and user-friendly. People also often approve the code written by these programmers much faster.

Given this robust OSS activity, you might think these same people are likely to spot vulnerabilities earlier. However, according to research by GitHub, it can take more than four years on average to detect vulnerabilities in open source software.

Bug Bounty to the rescue

According to HackerOne, IBB exists to secure shared software components. It encourages security research in open source dependencies and the software supply chain. Meanwhile, organizations that use open-source help raise funds for bounties (bounty = financial support for open-source researchers and maintainers).

Since its inception in 2013, the Bug Bounty program has discovered over 1,000 flaws in open source programs. At the time of this writing, approximately $ 750,000 in bounties has been awarded to 233 hackers. The average premium range is $ 500 to $ 750. Premium premiums can pay up to $ 25,000. There is even a ranking of hackers to brag about and to see how their rivals stack up.

The Bug Bounty process goes as follows:

  1. Once a person discovers a vulnerability, they must first submit it to the IBB project managers.

  2. Rewards are only paid for vulnerabilities that have been responsibly reported, acknowledged, sorted, remedied, and disclosed through a Security Advisory or Common Vulnerabilities and Exposures (CVEs).

  3. The project allocates bonuses according to an 80/20 sharing model. The Bug Bounty Hunter gets 80% of the reward and 20% goes to the OSS project.

The security of free software remains complex

Open source developers face tremendous pressure to write feature-rich applications with tight release windows. The work required to manage application security and OSS framework analysis can be overwhelming. Also, if no one has the security in place from the start, it leads to various problems.

For example, older versions of open source software often contain vulnerabilities. Although it is fixed in later updates, if you are still using the old version, you are at risk. The Open Web Application Security Project (OWASP) considers older versions of open source components with known vulnerabilities to be one of the most critical web application security risks.

Don’t cut corners with OSS licenses

You can get open source content under different licenses. Or it may not require any license at all. Failure to comply with licensing obligations may result in the loss of intellectual property or lead to legal disputes. All of this can end up delaying or truncating the hard work of your developers.

Ways to Apply Bounty OSS Bug Tactics

  1. Develop strong policies and procedures (P&P) – This should include a description of the types of licenses and acceptable OSS components, patch guidelines and a prioritization of vulnerabilities.

  2. Choose software wisely – All free software is not created equal. Check the reviews and find out who else is using it. Also see the OWASP Dependency Check, which detects publicly disclosed vulnerabilities contained in a project’s dependencies.

  3. Make sure that a software nomenclature (SBOM) exists for each software application – An efficient software inventory accurately and dynamically records the relationships between components. SBOM lets IT teams know where each component resides and what needs to be secured. Map the SBOM to a reliable license, quality, and security database.

  4. Track OSS updates – Check for all software updates and implement them quickly. Plan to do it on a schedule. Some people deploy fixes in scheduled batches to save resources and ensure that the fix occurs.

  5. Implement SOAR – It is an automated incident response based on threat intelligence. SOAR is a very efficient way to centralize, standardize and develop security processes.

With these bug bounty-inspired tactics, you’ll gain a better understanding of OSS security for the myriad of open source software uses.


Comments are closed.