Home / Blog / Bug Bounties in ICS: Vulnerabilities in search and arrest

Bug Bounties in ICS: Vulnerabilities in search and arrest

Posted on 10/08/2015, by INCIBE
Reward: Dead or Alive!

Bug bounties

Bug bounties are programmes offered by different software or hardware development companies that reward external researchers after having carried out security tests on one of their products or services and having identified some security flaw.

Bounty programmes were born in 1995 when Netscape decided to take an alternative approach to security testing on their systems. These programmes tend to have a defined scope in addition to very clear conditions in order to prevent problems when carrying out security tests in their environments. At present, many technology-based companies such as Apple, Adobe, AT&T, Avira, Box, Cisco, Ebay, Dropbox, Evernote, Google, HTC, Huawei, Joomla, etc. have their own bounty programmes for security researchers.

With regards to the bounties rewarded by the companies, there are three different types:

  • Economic: companies offer financial compensation in exchange for the researcher to maintain a certain level of secrecy regarding the vulnerability found in addition to conscientious disclosure of the security flaw.
  • Hall of fame: companies add the researcher’s name to the company’s web page in recognition of their research efforts.
  • Gifts: the company awards merchandise, vouchers or software licenses, normally all from the same company.

One must also remember that these types of programmes involve interacting with software or hardware from one specific company. For this reason, said company will to some extent limit the research in order to define the maximum scope of the investigation. If these limits are violated legal action may be taken. This situation does not greatly encourage all researchers since the restrictions that companies sometimes impose do not offer the option of carrying out the research or tests that researchers desire.

Bug Bounties in ICS Settings

In terms of bounty programmes in industrial control systems, there are not many companies that offer awards or recognition to those researchers who have invested their time in product analysis. One of the few examples of bug bounties in industrial settings is the company IntegraXor which offers bounties in the form of SCADA software product licenses under certain conditions, as to be expected.

Similar to a bounty programme is the initiative called project Basecamp which is organised by Digital Bond. Although this initiative did not offer awards, it is of interest to the industrial sector since tests were run on different devices from different manufacturers after bringing together highly regarded researchers with the goal of analysing the vulnerabilities found. This was one of the first initiatives of its kind within the industrial setting.

Some restrictions imposed by companies that tend to be common among all bounty programmes, including the previously mentioned IntegraXor, are the following:

  • Access restrictions to the company’s internal systems. This way, companies can be certain that researchers are not accessing devices that contain sensitive information or controlling a vital process.
  • Analysis of previous versions. Companies will not accept vulnerabilities found in versions previous to the current one unless said vulnerability is also active in the latest version. They will also not accept vulnerabilities discovered in the Beta or test versions.
  • The use of certain tools is prohibited. Those that are too intrusive and can end up generating denial of service as well as those which create spam do not tend to be allowed under any circumstances.
  • Use of third party libraries. It is not usual for the use of third party libraries, DLLs or plugins for exploiting vulnerabilities to be allowed.

sistema de comunicaciones centralizadas con fallos

- Bounties in Industrial Control Systems -

Bug Bounty programmes...Are they advantageous to system security?

Industrial settings form a world that is rather opposed to both the publication of vulnerabilities as well as the release of device code. This reluctance thus translates to unwillingness with regards to testing their systems and devices. This situation is created in order to give people a sense of security given that a device on which no vulnerabilities have been found is assumed to be safe. It is therefore not surprising that there are almost no programmes that reward the research efforts of security experts in this sector.

Bounty programmes also attempt to tackle the problems associated with 0-day vulnerabilities sold by researchers in the underground market. Said vulnerabilities are apparently sold in exchange for large amounts of money depending on which vulnerability is being purchased and the use it can be given. The problem of selling vulnerabilities has an effect on both corporate and industrial settings, but the impact on the latter can be much greater due to the importance of these systems.

The publication of vulnerabilities in industrial control systems is still difficult to tackle. Companies do not want possible security flaws to be discovered, but manufacturers often do not pay heed to researchers, either. After failing to obtain answers in response to their warnings, said investigators are then forced to make their research known with specialised lectures aiming to coerce manufacturers to take the measures necessary to resolve the malfunctions. This approach to disclosing information can result in the researcher ending up engulfed in legal problems for the release of professional secrets.

We must keep in mind that if industrial control systems were to propose reward programmes to those who carry out research - and if said rewards were proportional to the difficulty of their research efforts - devices and systems would be more secure just like those of other companies outside of this sector.