The security platform HackerOne recently announced the latest version of their Internet Bug Bounty (IBB) program. The IBB strives to enhance open-source software security by pooling resources and encouraging security experts (they call themselves hackers) to find flaws in open-source software (OSS).

Now, the program has introduced a new crowd-funding method. This enables more organizations to use the IBB to secure open-source needs in their software. Other program partners include Elastic, Facebook, Figma, GitHub, Shopify and TikTok. These companies, like nearly every digital brand, all depend on open-source software.

The use of OSS has exploded lately. What’s the history and motivation behind Bug Bounty? And what are the important OSS security issues to be aware of? Take a look at the risks of open-source software and the latest efforts to mitigate them.

Why Open Source Software Security Matters

Due to rising demand for rapid development and ongoing iteration, developers are leveraging open-source frameworks and libraries more often. Everyone wants to fast-track development life cycles, and OSS works great for this.

OSS helps lower costs and reduce time-to-market for new applications. Before, developers might have written reams of custom code. Now, they mine OSS frameworks and libraries to find what they need to fit their projects.

Open-source software is software that developers can inspect, copy, modify and share. While proprietary software providers still own a huge market share, the role of OSS has grown a lot. These facts reveal:

  • Linux powered 75% of the public cloud workload in 2020
  • Highly popular software development stacks LAMP (Linux, Apache, MySQL and PHP) and MEAN (MongoDB, Express.js, AngularJS and Node.js) are open-source
  • Around 85% of the world’s smartphones run on Android, an open source operating system built on the Linux kernel.

Given the widespread use of OSS, any related risks are very important.

Where to Find Open-Source Software Security Resources

While there is no central OSS library, there are plenty of resources online. You might check out GitHub’s OSS-Framework, Microsoft’s OSS Libraries – C++ Team Blog or even the Netflix Open Source Software Center.

Meanwhile, you could also reference the OSINT Framework which is curated by Justin Nordine. OSINT stands for open-source intelligence, which refers to any information that can be legally obtained from free, public sources about an individual or organization. The framework provides links to a giant collection of OSINT tools and resources for different tasks. These can cover from geolocating IP addresses to vulnerability scanning for domain names.

How Strong Is OSS Security?

You might think open source security is less robust since the source code is public. Attackers know this as well, and they constantly seek ways to exploit OSS security holes.

On the flip side, OSS gets support from a huge and highly active developer community. This means people often update open-source code faster versus proprietary software. OSS developers are always busy making the software more efficient, secure and user-friendly. People also often approve the code written by these programmers much faster.

Given this robust OSS activity, you might think those same people are likely to detect vulnerabilities earlier. However, according to GitHub research, it can take an average of over four years to detect vulnerabilities in open-source software.

Bug Bounty to the Rescue

According to HackerOne, IBB exists to secure shared software components. It incentivizes security research into open-source and software supply chain dependencies. Meanwhile, organizations that use open-source contribute to raise money for the bounties (bounty = financial support for researchers and maintainers of open-source).

Since its inception in 2013, the Bug Bounty program has discovered over 1,000 defects in open-source programs. As of this writing, about $750,000 in bounties have been awarded to 233 hackers. The average bounty range is from $500 to $750. High-end bounties can pay up to $25,000. There’s even a hacker leaderboard for bragging rights and to see how their rivals measure up.

The Bug Bounty process goes like this:

  1. Once someone discovers a vulnerability, they must submit it to the IBB Project Maintainers first.

  2. Awards are only paid for vulnerabilities that have been responsibly reported, acknowledged, triaged, remediated and disclosed via Security Advisory or Common Vulnerabilities and Exposures (CVE).

  3. The project awards bounties according to an 80/20 split model. The bug bounty hunter gets 80% of the reward, and 20% goes to the OSS Project.

OSS Security Remains Complex

Open-source developers face tremendous pressure to write feature-rich apps with tight release windows. The work required to manage app security and OSS framework analysis can be crushing. Also, if no one built security from the start, this leads to a variety of problems.

For example, older versions of open-source software often contain vulnerabilities. Despite being fixed in subsequent updates, if you are still running the older version, you’re exposed. The Open Web Application Security Project (OWASP), considers old versions of open-source components with known vulnerabilities as one of the most critical web application security risks.

Don’t Cut Corners With OSS Licensing

You can obtain open-source content under various licenses. Or it may require no license at all. Ignorance about license obligations can lead to the loss of intellectual property or end up in legal wrangling. All of this can end up delaying or truncating the hard work of your developers.

Ways to Apply OSS Bug Bounty Tactics

  1. Develop sound Policy & Procedures (P&P) – This should include a description of acceptable OSS licensing and component types, patching guidelines and vulnerability prioritization.

  2. Choose software wisely – Not all OSS is created equal. Check for reviews and find out who else is using it. Also, consult with the OWASP Dependency-Check, which detects publicly disclosed vulnerabilities contained within a project’s dependencies.

  3. Ensure a software bill of materials (SBOM) exists for every software application – Effective software inventory accurately and dynamically records the relationships between components. SBOM enables IT teams to know where each component resides and what needs to be secured. Map the SBOM to a reliable license, quality and security database.

  4. Track OSS Updates – Scan for any software updates and implement them promptly. Plan to do this on a schedule. Some people deploy patches in scheduled batches to save resources and to make sure patching happens.

  5. Implement SOAR This is threat intelligence-driven automated incident response. SOAR is a highly effective way to centralize, standardize and scale security processes.

With these tactics inspired by the bug bounty program, you’ll have a better grasp of OSS security for the myriad of uses for open-source software.

More from Incident Response

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America.IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that X-Force…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…