In 2013, a researcher tried to report a security issue to Facebook that allowed anyone to
post on anyone else’s Facebook page (even if they were not friends). The researcher actually
reported the issue by following Facebook’s own instructions on reporting security vulnerabili-
ties, but the Facebook security team responded with “Sorry, this is not a bug.” The researcher
then posted details of the vulnerability on CEO Mark Zuckerberg’s Facebook page. Within
minutes, the security engineering team at Facebook contacted the researcher and worked with
him to understand and fix the issue.
Companies such as Microsoft have set up bug bounty programs that pay researchers up to
$100,000 USD depending upon the severity of the issues they uncover. The case for such
high rewards is that the organizations would have to pay staff or contractors the same amount
or more to do the sophisticated research done by the individuals who submit information to
bug bounty programs. Categorizing the awards based on severity easily aligns with the goal of
lowering the risk for the company and its shareholders.
There are also companies such as HackerOne (Figure 7-32) that facilitate and coordinate
bug bounty programs. A company can join the program and have researchers report security
issues using the HackerOne website. HackerOne claims that it will not look at the actual vul-
nerability being reported, since that is private communication between the researcher report-
ing the issue and the company being reported to. Once the issue is resolved, HackerOne can
help the company disclose the vulnerability publicly.
It is terribly important that IoT vendors clearly establish a mechanism for researchers to
submit findings of vulnerabilities. Without a clear process, there is little inducement for
researchers to spend time reporting issues they uncover. Even though not all companies pay
bounties, it makes business sense to do so because it offers an incentive for researchers to dis-
cover any vulnerabilities in a company’s products before malicious attackers do and lowers the
probability of the issues becoming public before they are fixed—which could put customer
information, safety, and the revenue of the business at risk.
228 CHAPTER 7: SECURE PROTOTYPING—LITTLEBITS AND CLOUDBIT