Despite good examples from Google, Microsoft, and others, Bug Bounty programs in SCADA and ICS are very limited. As in nearly non-existent. As in the only one I’ve heard about publicly is IntegraXor’s non-monetary program, which hit mainstream last week.
I had a chance to email with KP Lee, the CEO of IntegraXor, and was able to ask a few questions on the program, and some background behind it.
According to KP, IntegraXor’s motivation for their bug bounty program was to do what they could currently afford to fix problems that could threaten their customers, namely from a human safety perspective. The intent of the program is to be initially restrictive, but will be opened more as experience develops. This tactic was chosen because there were no bug bounty examples IntegraXor was aware of in ICS.
KP also illustrated one of the major reasons for their concern in the screenshot below. The screenshot is a record from their online demo of the product, and it’s being subjected to several attacks from various IP Addresses at various dates and times. Standard SQL injection attempts, directory traversals, and brute forces are all shown, as well as some trivial “hey are you piping this to command line?” checks.
There was also a concern from KP that the original closed disclosure process was not the best for rewarding researchers for their contributions (the word he used was ‘careless’), and has since been changed to accept ‘responsible and collaborative disclosure’ on the Bug Bounty Program announcement, and to disqualify zero-day disclosure. Researchers will also get credit for their efforts on IntegraXor’s Vulnerability Note site, or through ICS-CERT (if using them for coordinated disclosure).
IntegraXor’s program is interesting because they are not offering money for bugs, they are offering data point licenses instead. To those of you who don’t spend much time in the ICS Security space, a point license is standard in automation. Basically, a user is charged on how large their automation system is, rather than how many CDs, or installed computers, they need. The number of data points in automation systems can range to the low 100s to tens of thousands, making it a good licensing model for companies that specialize in the HMI and engineering software rather than the physical hardware. And, additional point licenses are easy for existing customers to put into their system, since they require no additional hardware to implement.
The ‘point store’ approach leads me to believe that existing customers may be much more responsive than individual researchers, due to the ability to upgrade their own systems by reporting flaws they find. If any user of IntegraXor products wants to try this out, let me know.
The approach of offering store credit has been panned by researchers and news sources over the past week, Christopher Soghoian going so far as to call it “pathetic” in a Twitter post. KP’s response to these reports is that IntegraXor is considering monetary awards in the future, but that they must become ‘competent’ in managing the process first. Much of this derision comes from security researchers and vulnerability companies who have been working with cash bug bounties for years now. Still, IntegraXor is the first ICS company to publicly have a bug bounty program, regardless of how ‘good’ the reward is.
Thanks to the Lost Decade, SCADA/ICS security is considerably farther behind the mainstream, and bug bounties are a casualty of ten years down the drain in security. It’s still good to see one looking forward, who is next?
title image by mscaprikell