Bugging others for a bounty
As the Maltese saying goes, “Pjaċir mhux mitlub nofsu mitluf”. Favours come in two halves and so did one of my favourite childhood chocolate bars.
Indeed, that coconut-filled chocolate in the unmistakable blue and white wrapper was quite popular in my childhood, not only because it tasted good but also because it conveniently came in two distinct pieces, making it the ideal contender for charity chocolate.
You would bug your best mate to share it with you and this sweet bartering scene has played out countless times before my hungry eyes. I myself have been on both the receiving and, more reluctantly, the giving end of such transactions.
There is no doubt in my mind that the students at the centre of the FreeHour debacle had only good intentions and meant well when they contacted the latter to highlight a security vulnerability; so let me preface this article by expressing my hope that their issue is resolved so that they can return to a normal life at the soonest with only a valuable lesson as their troublesome reward.
When so many criminals acting in the most barbaric way and even caught on video are on the loose, it would be truly sad that such young talent is the one that suffers the strong arm of the law.
That said, there has been a lot of emotional knee-jerk reactions, so it is important to take a step back and analyse the situation objectively.
Firstly, before passing any judgement, one needs to read the actual e-mail sent. People have a habit of jumping to conclusions without actually consulting the evidence. Thankfully, the e-mail has been posted and this shows that the party had no ill-intention.
Save for some minor editorial changes needed to embellish the text and make it clear that theirs was but a friendly exhortation, an embellishment that could have possibly saved them much trouble – and there’s the first lesson to be learnt there: always get a proofreader, preferably a bona-fide author – the correspondence reads amicably.
When writing such e-mails, less is not more: one has to read such messages not from our disinterested point of view, relaxing on the sofa as we contemptuously frown in disgust at the perceived cruelty of some people, but rather from the company owner’s, who, scanning through such an out-of-the-blue revelation, might panic into thinking it some form of extortion and blackmail instead of imagining well-intentioned ethical hackers. It is important to stress the vagaries of interpretation and misinterpretation that arise out of textual communication. Clarity is key.
More importantly, however, there seems to be a misconception about what bug bounties are.
A simple google search will provide one with a lot of articles on bug bounty programmes. These are set in place by companies wishing to invite savvy security experts or whizz kids to identify bugs and security flaws and vulnerabilities.
That is the thing though: it is the company that sets up the bug bounty programme and it is the existence of such a programme which makes any prospective bug hunter eligible for the bounty. As common sense would have it, it is the former, and not the latter, who offers the bounty, just like normal bounties for wanted people are offered by the government and not demanded by the citizen.
I am no lawyer but I am certain that a good lawyer could write at length about such subtle but important distinctions.
In fact, another google search will bring up a few interesting facts about bug bounties.
Hackerone.com clearly defines bug bounties as something companies create “to provide financial incentives to independent bug bounty hunters” while threatpost.com “brought together leading voices in the bug bounty community” to get answers to some frequently asked questions, one of which addressed the importance of getting authorisation from the relevant organisation, adding that “if a company has no publicly listed bug bounty/VDP information posted, finding and reporting a bug to them can result in them filing charges since it is technically illegal”.
The statement issued by FreeHour itself refers to this:
“While bounty payments are the norm for ethical hacking in other countries, FreeHour has never launched a bug bounty programme which would offer developers monetary compensation for finding security flaws.”
The point of the matter is that one cannot ask for a bug bounty if there is no bug bounty programme in place. Apart from the fact that the hunting was not sanctioned by the company in question, there is the more obvious issue that comes to mind, namely that a company might simply not have any funds allocated to such programmes. Companies cannot just take out money without taking account of it: reward money does not come from thin air.
Stating that they were eligible for bug bounty when the company had no bug bounty programme in place might have been misconstrued and is probably the part which backfired. This also seems to be confirmed by the statement on FreeHour’s website.
In all fairness, the four merely pointed out their eligibility (though here, again, wording is key: a “could” is definitely more apt than the ill-chosen “would”).
Some organisations may also choose to keep certain domains off-limits or limit testing to areas with little to no impact on day-to-day business operations, allowing them to implement security testing without compromising productivity. This is a right that a company should have in running its business, one to be measured against the duty it has to provide reasonable security to its users.
At the end of the day, I hope the students get a break and are treated in the same wellmeaning manner they hoped to convey. Hopefully, this will be a catalyst for Maltese app developers and companies to start official bug bounty programmes which in the end help everyone: they help the app in becoming more secure, which invariably leads to security benefits for its users, and also help students by providing a real-world testing platform for their abilities.
That way, everything is clear and there is no room for misinterpretation and we end up with a win-win situation, a delicious bounty for both parties.
Favours come in two halves and the best ones leave both intact.
“I hope the students get a break and are treated in the same wellmeaning manner they hoped to convey
Kenneth Charles Curmi is the former national representative of the Parliament of Malta to the European Parliament and the EU institutions.