The security platform HackerOne recently announced the latest version of their Internet Bug Bounty (IBB) program. The IBB strives to enhance open-source software security by pooling resources and encouraging security experts (they call themselves hackers) to find flaws in open-source software (OSS).

Now, the program has introduced a new crowd-funding method. This enables more organizations to use the IBB to secure open-source needs in their software. Other program partners include Elastic, Facebook, Figma, GitHub, Shopify and TikTok. These companies, like nearly every digital brand, all depend on open-source software.

The use of OSS has exploded lately. What’s the history and motivation behind Bug Bounty? And what are the important OSS security issues to be aware of? Take a look at the risks of open-source software and the latest efforts to mitigate them.

Why Open Source Software Security Matters

Due to rising demand for rapid development and ongoing iteration, developers are leveraging open-source frameworks and libraries more often. Everyone wants to fast-track development life cycles, and OSS works great for this.

OSS helps lower costs and reduce time-to-market for new applications. Before, developers might have written reams of custom code. Now, they mine OSS frameworks and libraries to find what they need to fit their projects.

Open-source software is software that developers can inspect, copy, modify and share. While proprietary software providers still own a huge market share, the role of OSS has grown a lot. These facts reveal:

  • Linux powered 75% of the public cloud workload in 2020
  • Highly popular software development stacks LAMP (Linux, Apache, MySQL and PHP) and MEAN (MongoDB, Express.js, AngularJS and Node.js) are open-source
  • Around 85% of the world’s smartphones run on Android, an open source operating system built on the Linux kernel.

Given the widespread use of OSS, any related risks are very important.

Where to Find Open-Source Software Security Resources

While there is no central OSS library, there are plenty of resources online. You might check out GitHub’s OSS-Framework, Microsoft’s OSS Libraries – C++ Team Blog or even the Netflix Open Source Software Center.

Meanwhile, you could also reference the OSINT Framework which is curated by Justin Nordine. OSINT stands for open-source intelligence, which refers to any information that can be legally obtained from free, public sources about an individual or organization. The framework provides links to a giant collection of OSINT tools and resources for different tasks. These can cover from geolocating IP addresses to vulnerability scanning for domain names.

How Strong Is OSS Security?

You might think open source security is less robust since the source code is public. Attackers know this as well, and they constantly seek ways to exploit OSS security holes.

On the flip side, OSS gets support from a huge and highly active developer community. This means people often update open-source code faster versus proprietary software. OSS developers are always busy making the software more efficient, secure and user-friendly. People also often approve the code written by these programmers much faster.

Given this robust OSS activity, you might think those same people are likely to detect vulnerabilities earlier. However, according to GitHub research, it can take an average of over four years to detect vulnerabilities in open-source software.

Bug Bounty to the Rescue

According to HackerOne, IBB exists to secure shared software components. It incentivizes security research into open-source and software supply chain dependencies. Meanwhile, organizations that use open-source contribute to raise money for the bounties (bounty = financial support for researchers and maintainers of open-source).

Since its inception in 2013, the Bug Bounty program has discovered over 1,000 defects in open-source programs. As of this writing, about $750,000 in bounties have been awarded to 233 hackers. The average bounty range is from $500 to $750. High-end bounties can pay up to $25,000. There’s even a hacker leaderboard for bragging rights and to see how their rivals measure up.

The Bug Bounty process goes like this:

  1. Once someone discovers a vulnerability, they must submit it to the IBB Project Maintainers first.

  2. Awards are only paid for vulnerabilities that have been responsibly reported, acknowledged, triaged, remediated and disclosed via Security Advisory or Common Vulnerabilities and Exposures (CVE).

  3. The project awards bounties according to an 80/20 split model. The bug bounty hunter gets 80% of the reward, and 20% goes to the OSS Project.

OSS Security Remains Complex

Open-source developers face tremendous pressure to write feature-rich apps with tight release windows. The work required to manage app security and OSS framework analysis can be crushing. Also, if no one built security from the start, this leads to a variety of problems.

For example, older versions of open-source software often contain vulnerabilities. Despite being fixed in subsequent updates, if you are still running the older version, you’re exposed. The Open Web Application Security Project (OWASP), considers old versions of open-source components with known vulnerabilities as one of the most critical web application security risks.

Don’t Cut Corners With OSS Licensing

You can obtain open-source content under various licenses. Or it may require no license at all. Ignorance about license obligations can lead to the loss of intellectual property or end up in legal wrangling. All of this can end up delaying or truncating the hard work of your developers.

Ways to Apply OSS Bug Bounty Tactics

  1. Develop sound Policy & Procedures (P&P) – This should include a description of acceptable OSS licensing and component types, patching guidelines and vulnerability prioritization.

  2. Choose software wisely – Not all OSS is created equal. Check for reviews and find out who else is using it. Also, consult with the OWASP Dependency-Check, which detects publicly disclosed vulnerabilities contained within a project’s dependencies.

  3. Ensure a software bill of materials (SBOM) exists for every software application – Effective software inventory accurately and dynamically records the relationships between components. SBOM enables IT teams to know where each component resides and what needs to be secured. Map the SBOM to a reliable license, quality and security database.

  4. Track OSS Updates – Scan for any software updates and implement them promptly. Plan to do this on a schedule. Some people deploy patches in scheduled batches to save resources and to make sure patching happens.

  5. Implement SOAR This is threat intelligence-driven automated incident response. SOAR is a highly effective way to centralize, standardize and scale security processes.

With these tactics inspired by the bug bounty program, you’ll have a better grasp of OSS security for the myriad of uses for open-source software.

more from Incident Response

To Cybersecurity Incident Responders Holding the Digital Front Line, We Salute You

Over the course of two decades, I’ve seen Incident Response (IR) take on many forms. Cybercrime’s evolution has pulled the nature of IR along with it — shifts in cybercriminals’ tactics and motives have been constant. Even the cybercriminal psyche has completely rebirthed, with more collaboration amongst gangs and fully established ransomware enterprises running. When I was first starting off,…

X-Force 2022 Insights: An Expanding OT Threat Landscape

This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT…