Software dependencies: Who will take responsibility for securing the foundations?

BountyGraph is crowdfunding bug bounties for high-impact flaws lower down in the stack

Nobody wants to reinvent the wheel – but using open source code libraries or packages brings the risk of dependency problems that can be difficult and expensive to solve.

Enter BountyGraph, a bug bounty service launched this summer that allows businesses to pool money with other organizations using the same software to make their security budget go as far as possible.

“The idea for the site came about when I was participating in bug bounty programs in college. As time went on I started looking for higher impact bugs, lower down in the stack,” cofounder Max Justicz tells The Daily Swig.

“Why spend time finding a bug in a single website running Ruby on Rails when I could find a bug in rubygems.org, which is open source and whose security affects almost every Rails application in the world?”

Unfortunately, Justicz says, the impact of doing this wasn’t reflected in the bug bounties available – indeed, there was often no bounty available at all.

“At the end of the day, it doesn’t matter if a hacker hacks your web application through code written by your own developers or through your free and open source web server: you’re compromised regardless,” he says.

“Bug bounties don’t currently reflect that. I thought this was a case of misaligned incentives between private industry and bug hunters, so I built a site to try and fix it.”

Through BountyGraph, organizations can sign up for a particular project, with the potential bounty increasing as more join. More money is put in by sponsors. Researchers can then report vulnerabilities in the relevant software, with bounties issued once the security issue has been fixed and a patch issued.

BountyGraph also offers security audits in a similar way, getting a quote from an established security consulting firm for an audit that’s carried out once enough funding pledges have been made.

The results are then shared with the participants. BountyGraph itself is funded by taking a 15% cut of bounties and audits funded through the platform.

“BountyGraph has a number of checks and balances to make sure that the bounty payout process is fair,” says Justicz.

“Funding organizations are never obligated to pay a bounty: if some aspect of the report makes anyone uneasy, there is no requirement to pay out. Patches are required to be made public before making the report visible to funding organizations.”

The rewards for hackers can be pretty substantial, with Dropbox promising bounties of up to $32,768 for critical bugs in Squid and curl; more are on their way, says Justicz.

“Dropbox is our largest project funder so far, but several more organizations have expressed interest, and you should see them show up on BountyGraph in the coming weeks and months,” says Justicz.