Why Companies Fear Bug Bounty Programs

Yesterday Randy Westergren wrote this blog post: United Airlines Bug Bounty: An experience in reporting a serious vulnerability.  I do not know Randy and do not think he did anything wrong but his post is a perfect example of why companies I talk to are afraid of implementing bug bounty programs.
He hit the trinity of why companies fear bug bounty programs in one post:

  • Their development cycle wasn’t fast enough for the researcher.
    Screen Shot 2015-11-23 at 6.53.35 AM
    Is six months a “more than reasonable time frame”?  On the surface sure but unless you go to their planning games, know their regulatory commitments, roadmap and backlog you can not say that for sure.Most companies have enough internal and contractual pressure on their development cycles to have a researcher who is “helping” add another source.


  • The researcher involved the press:Screen Shot 2015-11-23 at 7.01.48 AMCompanies do not want to be in the press for having poor security.  So sure when he contacted the press they fixed the issue but it didn’t win him or security researchers any friends at United.Companies do not want to manage a bug bounty program as a fire fighting exercise. They want to intake the bugs into their regular development cycle and work them in their normal process.
  • The researcher went “rogue”:
    Screen Shot 2015-11-23 at 7.08.42 AM
    He wasn’t going to get compensated for his work since it was a duplicate so the only kind of compensation he could still get was to go public.  Companies cant pay for every duplicate bug found and it only takes one researchers to go rogue to sour a bug bounty program for a company.

While I do not fault Randy for his blog post or thought process a company gives up a lot of legal cover by running a bug bounty program.  If they do not perform to a researchers expectation and they get called out in this manner is a reason for them to think twice about their program and if it is worth it.


I spend a lot of time working in the starbucks near my office.  It is a great place to slip away from the office for an hour when I need to do some heads down work but dont want to be completely anti-social. 

Even though I always use a VPN one thing that always bothered my was that Starbucks was grabbing my MAC address every-time I logged in:

I am not a big fan of being tracked like this so this weekend I wrote randomMAC for OSX to quickly change my MAC address.

So now when I log in at Starbucks I am passing it a random MAC:

Disable Frequent Location Tracking in iOS 9

I have been using the iOS 9 Public Beta 2 and one of the things that I do not like (and has really been freaking me out) is the Frequent Location Tracking. 

I was getting alerts like this:


This made me have the following thoughts:

  • I am not going to Columbia right now.
  • Am I going to Columbia right now?
  • Why does my phone think I am going to Columbia right now?
  • Wait… why does my phone think I am going to Columbia?

The answer to this is a new-ish feature in iOS 9 called “Frequent Locations” and it does a stalker quality job of keeping track of you:  


You can and should turn this and Location-Based Alerts and Location-Based iAds off in: Settings > Privacy > Location Services:


Compare Two Files

At work this week I needed to compare two files to see if they had the same MD5 or SHA256 hash.  After spending way too long trying to get hashdeep and md5deep to work correctly and not finding anything else to easily do this I wrote compare.py today. 


This script is the definition of utilitarian but I hope it can help you also.

iOS 8 Allows Siri To Bypass Your Lock Screen

By default iOS 8 allows Siri to bypass your iphone’s lock screen and reply to messages by default.  You should disable it.  Here is how:

Go to Settings

Go to Touch ID & Passcode

Turn off everything in “Allow Access When Locked”.


How To Disable Twitter Photo Tagging

Twitter added a photo tagging feature today and like Facebook decided to have the default setting to allow anyone to tag you.

For your own saftey you should change it to this:image

The steps to do this are easy:

1) Login to Twitter.com
2) Go to the Settings tab.
3) Go to the Security tab.
4) Under Photo Tagging click “Do not allow anyone to tag me in photos”.
5) Scroll to the bottom of the page and Click “Save changes”
6) Enter your password to save your changes.

The Dim Mak at InfoSec Conferences

First off I must admit one of my all time favorite movies is bloodsport.

I was watching it recently and it struck me that I have seen this Dim Mak scene play out at countless infosec cons:

No, I haven’t seen anyone break a brick with a secret move at an underground martial arts tournament (that I am telling you about) but I have seen people prove they can do amazing things only to be greeted with a room full of “not impressed” faces.

Broadcasting the SSID and password on national TV for the Super Bowl security command center is probably bad.

Site Footer