I won't bother hunting and reporting more Sony zero-days, because all I'd get is a lousy t-shirt

Analysis Hunting for exploitable security bugs in software is not an easy way to make a living, and vulnerability researchers say vendors who don't pay out for reports are making life even harder while putting their own products at risk.

Such was the case with João Figueiredo, a researcher in Brazil who tracked down and reported remote code execution vulnerabilities in two websites run by Sony and Sony Pictures. Those flaws were rated as a critical risk, and earned Figueiredo recognition on the hacktivity page of HackerOne, hired by Sony to handle its bug bounties.

It could, however, have been an even bigger disclosure, with potentially more security holes in the entertainment giant's systems reported, had Sony offered Figueiredo better incentives. With just a t-shirt up for grabs, though, he decided to leave it at two.

"In addition to the two cases I reported to them, there are still other potential critical vulnerabilities," Figueiredo told The Register. "However, Sony rewards the efforts of researchers with just a simple shirt. So I decided not to spend more time analyzing Sony systems."

Figueiredo says it is not a matter of greed – he has given the US Department of Defense multiple reports free of charge – but rather having to make ends meet. Finding security vulnerabilities takes a long time, and Figueiredo explained that other companies, such as PayPal, get more attention and auditing because they offer cash rewards.

"Big corporations often say they care about security, but the practical reality is different," Figueiredo said. "Many of the companies that claim to be concerned about the safety of their consumers are, in fact, not."

Swag doesn't pay for groceries

Figueiredo is not alone in that sentiment, either. BugCrowd founder and CTO Casey Ellis told El Reg that while each hacker has their own reasons and motivations for the work they do, at the end of the day, bills have to be paid.

"Swag is cool, and almost all hackers I’ve worked with love it – but it doesn’t work in Walgreens," Ellis said. "It’s important for companies not to confused swag or reputation with cash."

In many cases, cash is also at a premium for bug-hunters. While we may talk of six-figure payouts and accolades for researchers who find high-profile flaws, the reality is that rooting out and then developing proof-of-concept exploit scripts for lower-profile systems can be a tedious, time-consuming task that more often than not brings little financial reward.

"It's quite uncommon to make significant amount of money doing bug bounties," Katie Moussouris, the former Microsoft security strategist who launched Redmond's bug bounty program and now runs her own biz Luta Security, told us. "There's a lot of burnout and frustration."

With few people getting mega-rich, it's easy to see how bounty payouts would make certain companies more attractive to researchers.

So, no cash = no bug reports? Not so fast

Given these circumstances, it would be easy to conclude that organizations that offer cash care more about their security, and those who won't pay up couldn't care less about locking down their products.

But the reality isn't that simple.

Moussouris cautions against condemning corporations that only give out swag, noting that while money can be a factor, it does not by itself determine the quality of a company's security program nor its ability to work well with bug-hunters. For some businesses and teams, swag and kudos may be its first steps toward offering larger rewards. We'd also argue that companies may have hired professional security auditing teams, with bug bounties set up to top up that effort, or at least use it attract people within the infosec community.

"The fact that some offer thanks only, and some offer cash, is not a factor in judging them 'good at security' or not," Moussouris told El Reg. "Google only started offering cash in 2010. It was $1,337."

This, the researchers seem to agree, is the real crux of the issue. Bug-hunters want to feel respected and appreciated for what they do. While paying out money and giving vulnerability researchers a living wage is one, and arguably the best, way to do that, it is not the only way.

"The bounties, when done right, are for targeting eyes to where you're most interested in hearing about bugs," Moussouris said.

"It's fine if researchers don't want to do it for free – there are plenty of bug bounty programs to try if that's the case. But it's also fine for organizations and governments not to pay bug bounties, especially if they haven't put a bunch of thought into structuring the incentives."

Spokespeople for Sony declined to comment. ®