The question of whether software companies should pay bounties to people who discover bugs has been a sticky one. It has again been raised by a security researcher who is demanding a reward from network security vendor FireEye for his efforts.

As outlined by CSOonline, California-based researcher Kristian Erik Hermansen said he and Ron Perris discovered several zero-day vulnerabilities in FireEye products a while back, one of which was disclosed to the company. After getting no satisfaction — whether that be in acknowledgment of their work, putting out a fix or getting paid — Hermansen put out details about one of them on the weekend –potentially giving attackers an exploit — and is demanding US$10,000 for details about two others.

The fact is FireEye doesn’t have a bug bounty paying program, although it encourages researchers to privately alert the company so they can investigate.

Meanwhile Hermansen offers this defence: “I tried for 18 months to work with FireEye through responsible channels and they balked every time. These issues need to be released because the platforms are wrought with vulnerabilities and the community needs to know, especially since these are (U.S.) Gov-approved Safe Harbor devices with glaring remote root vulnerabilities,” Hermansen told CSO via email.

“No one should be trusting these devices on their network if FireEye can’t be bothered to fix the problems. As a security company, their standards should be higher.”

Whether in fact FireEye hasn’t fixed the vulnerabilities Hermansen told the company about, or whether this is about money, isn’t clear. But there are two issues: One is how fast a company fixes a reported bug, the other is whether it pays legitimate researchers.

On the second, the question of creating a bounty program is a difficult one for vendors: Do bounties encourage a wider range of coders to examine software than the vendor has so vulnerabilities can be found faster, or do bounties encourage people to make wild claims in hopes of getting money?

One thing is this case is certain: FireEye doesn’t have a payment program and everyone knows it.

On the first issue, vendors have to prioritize security vulnerabilities, and — we all hope — they treat major problems seriously. What a researcher does if he or she feels the vulnerability isn’t being fixed is an ethical question.

As for researchers, it doesn’t increase the value of their work to release vulnerability details that can be exploited. And it seriously damages their credibility if they put their work up for sale.

Let us know what you think in the comments section below.

  • me on it

    Duuh – if you are a researcher as a means to providing consultation to other firms, and you find a vendor who doesn’t want to work with you about their issues, then you have two choices
    1- stop researching their products and include that in any “documents” you produce
    2- report any thing you find to them with the caveat that you will publically release the information in 24 hours time