Extortion or fair trade? The value of bug bounties

Vendors without bug bounty programs risk the wrath of the infosec community, but such programs must be constructed carefully to yield optimal outcomes

Extortion or fair trade? The value of bug bounties

A security researcher, sitting on what he claims are 30 flaws in various FireEye products, is demanding the security company pay researchers for vulnerability reports.

The confrontation highlights the challenges organizations face when working with the security research community. 

Kristian Erik Hermansen initially said he tried to work with FireEye to fix the vulnerabilities -- and FireEye ignored him. "I tried for 18 months to work with FireEye through responsible channels, and they balked every time,” he said, according to a recent post on CSO.

Digging into the timeline, it appears Hermansen notified FireEye that he found serious issues, but demanded compensation. Since FireEye didn't have a formal bug bounty program in place, Hermansen refused to provide further details of the issues and insisted the company first implement a program for paying researchers. That was a little more than a year ago. FireEye learned of the details of one of the vulnerabilities along with everyone else when Hermansen posted information on Exploit-DB and Pastebin over the weekend.

FireEye said it has repeatedly reached out to Hermansen over the past year to learn what sort of information he has, but he kept asking about compensation. Hermansen told CSO he won’t talk to FireEye unless the company pays him. The current price tag is set at $10,000 per vulnerability.

Bounty or blackmail?

To continue reading this article register now

Discover what your peers are reading. Sign up for our FREE email newsletters today!