- The disclosure of the devastating Heartbleed bug – two years in the wild – illustrates how much the technology industry under-invests in software integrity.
- Bug bounty programs spur greater participation in vulnerability research, and those who benefit most directly from open source software should contribute to an open source bug bounty program.
Unless you’ve taken a holiday from the connected world, you probably know by now about the Heartbleed bug. And if you’re a CSO or CISO, you’ve most likely seen plenty of suggestions on how to respond to the threat posed by this extremely risky and widespread vulnerability. Although the effort to address the problem is not quite as Herculean, it struck me that the response to the Heartbleed bug needs to be nearly as widespread as the effort to fix the date problem at the turn of the 21st century. Estimates that I saw about how widespread OpenSSL use is suggest that as much as 66% of all the websites across the globe use OpenSSL, and some reports suggested that the technology is embedded in a wide variety of network infrastructure devices, including routers, WLAN controllers, firewalls and more. But while enterprises had plenty of advance notice to address the date problem leading up to the year 2000, web site operators and technology vendors need to move with the utmost urgency to patch this flaw and clean up the mess created by this “catastrophic” vulnerability. It shouldn’t be a surprise that the coding error happened, and I don’t think that its existence is necessarily a condemnation of the way that open source vetting works. It is surprising that it took two years for legitimate security researchers to uncover the vulnerability. I’m sure talented hackers found it much, much earlier. But I do think that it begs the question: should there be bug bounty programs for open source software? Given that much of the Internet relies on those building blocks, shouldn’t those that benefit most directly ante up to contribute to bug bounty programs focused on the most widely used open source software? Such programs do stimulate greater participation in legitimate vulnerability research. And by drawing from a large pool of contributors, it should be possible to create bounties significant enough to attract good talent to the effort. At the very least the discovery of the Heartbleed bug should serve as a wake-up call that we need to invest much more in software integrity – especially for widely used open source software.
One other thought. Because this vulnerability also requires action on the part of web consumers, I thought it might be helpful to readers to include a list of popular or widely used sites that includes whether they were affected or not and whether the operators recommend a password change.