Heartbleed underscores need for open source bug bounties


I came across an excellent suggestion for preventing future problems like the Heartbleed bug--set up a bug bounty program for open source software.

Paula Musich, senior analyst for enterprise network and security at Current Analysis, suggests setting up an open source software bug bounty program similar to the ones available for proprietary software, such as the programs run by Google, Mozilla and now Microsoft.

"Bug bounty programs spur greater participation in vulnerability research, and those who benefit most directly from open source software should contribute to an open source bug bounty program," Musich writes.

As Codenomicon explained in announcing the bug: "The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and user."

The bug affects two-thirds of all websites, according to Reuters, and 50 million Android devices, according to The Guardian newspaper. That's a devastating software flaw by any stretch of the imagination.

It appears that the bug was introduced as a result of an oversight by Robin Seggleman, a German software developer who worked on the OpenSSL software. Seggleman told the Sydney Morning Herald that he and a reviewer missed the code bug when it was introduced into the OpenSSL more than two years ago.

"I was working on improving OpenSSL and submitted numerous bug fixes and added new features. In one of the new features, unfortunately, I missed validating a variable containing a length," Seggleman explained. While the error seemed to him "quite trivial," he admitted that the impact was "severe."

This interview highlights the problem with the open source software development process. By its very nature, open source software development is hard to police for flaws before the software is published. Having a bug bounty program would provide a financial incentive to "white hat" security researchers to uncover a flaw like Heartbleed much sooner than two years.

The program should be funded by "those who benefit most directly" from open source software, Musich argues. "Such [bug bounty] programs do stimulate greater participation in legitimate vulnerability research. And by drawing from a large pool of contributors, it should be possible to create bounties significant enough to attract good talent to the effort," she writes.

Bug bounty programs, which pay researchers to uncover software flaws and vulnerabilities, have worked to reduce vulnerabilities in Google and Mozilla's software, according to researchers from the University of California, Berkeley.

So it's time to apply the success of bug bounties for proprietary software to open source software. The fewer Heartbleed-type bugs, the better. -- Fred