Bug Bounties, Public Betas and Risk Management

I love Paul Jorgensen’s blog and his unique take on cyber security issues. It is his chosen profession and he was one of the very few to notice and take interest in the August 2017 Google BGP leak that brought down Apple Pay Suica services and major parts of the Japanese internet. He was also one of the few to blog about China Telecom spoofing the BGP protocol to poison internet routes to suck up massive amounts of American and Canadian internet traffic for intelligence analysis.

In his post today Paul quotes Katie Moussouris on bug bounties and risk management. Specifically, relying on public bug bounty programs that just create the “appearance of diligence”:

“This is not appropriate risk management. This is not getting better when it comes to security vulnerability management..

A lot of the patterns [have] not actually shifted that much from where we were when I started out professionally 20 years ago as a penetration tester…

We’ve created a $170 billion industry, which, we’re really good at a few things, security not exactly being one of them. Marketing, definitely.”

As Paul points out, “bug bounties are a tool, but only one tool. And it’s a game, so people will look to take advantage.”

To draw a close analogy I would also say that the public beta approach that Apple now uses for iOS and macOS development is similar in that it just conjures the appearance of diligence, not diligence itself. It creates an atmosphere of reduced expectations, both on the engineering side and the user side: “it’s just a beta, we can still work out the bugs.” I wonder if we would be better off without a public beta, a better developer beta program with robust bug reporting tools might set a higher bar.

As others such as John Gruber have noted, iOS 13 has been one of the buggiest beta development cycles in recent memory. Perhaps I am being nostalgic, but I think when Steve Jobs still walked the halls in Cupertino, his drive to deliver an excellent shipping product, and fear of his wrath when things didn’t measure up, was due diligence that instilled the Apple development culture of that time.

People perceive quality even if they cannot put it into words, the old look and feel thing. As Moussouris points out, marketing is a poor substitute for diligence and quality. The risk of the current environment is that Apple ships software products that have lower expectations which no amount of marketing can make up for.

Advertisements