Find a critical pre-authentication (no login needed) exploit that lets you attack VMware's vCentre Server and you could earn $100,000 selling it to a zero day broker like Zerodium. Do the right thing as a security researcher and report it to the software giant and you will get a big fat nothing other than the warm fuzzy glow of being a good person -- because the $11 billion (by 2021 revenues) company does not run a paid bug bounty programme.
For many, doing the right thing is reward enough. Privately brokered zero days may end up being used for corporate espionage or by intelligence services; they also be more obviously abused by authoritarian states.
But with a string of deeply critical bugs being found in VMware's products in recent years by third-party security researchers -- 19 reported this month alone, including pre-auth RCE CVE-2021-22005; which now has a public POC -- the incentives are badly skewed towards those with less robust ethical codes and in need of some hard cash; a fact that has not gone unnoticed by several security researchers; particularly in a world in which companies like Slack have been running bug bounty programmes since 2014 and now even notoriously sensitive and often-slow-to-change organisations like the UK's Ministry of Defence are in on the action.
(MOD ran its first private bug bounty programme in 2021, with CISO Christine Maxwell noting that "working with the ethical hacking community allows us to build out our bench of tech talent and bring more diverse perspectives to protect and defend our assets. Understanding where our vulnerabilities are and working with the wider ethical hacking community to identify and fix them is an essential step in reducing cyber risk.")
VMware bug bounty program: is it... hiding?
The majority of a string of critical bugs reported to VMware this month were identified by two Russian security researchers, whom we understand did not receive any bounty. With private bounty programmes sometimes hard to find, The Stack asked VMware if it had a paid bug bounty programme nestled away quietly somewhere.
The response we received was boilerplate about how "customer protection is VMware’s top priority, and we value the role that security researchers play in helping us keep customers safe" that appeared to amount to a "no".
The company added that its "commitment to industry-standard practices for vulnerability reporting and disclosure is outlined in our publicly available Security Response Policy” -- which provides a security[at]vmware.com email address and which promises that its team will triage reports and "provide feedback to the reporter of the vulnerability and work with them to fix the issue" -- no cheques paid.
Is that enough? As any industry expert will point out, a bug bounty programme does not solve underlying problems like why severe vulnerabilities are not being picked up in the design phase, but with all 19 of this month's vulnerabilities found and reported by external parties rather than during internal testing, something is arguably awry -- and if the trend is to continue, a financial reward tends to keep hat-ambigous hackers on side.
With CVSS 9.8-rated CVE-2021-22005 and 22006 ripe for mass exploitation as proof-of-concepts emerge meanwhile (amid some confusion: the CVE write-ups suggest it requires users to upload a malicious file, but as Will Dormann noted today, a POC being shared "reaches without authentication a should-be-protected sensitive API endpoint if the URI contains a "..;/" directory traversal. No files are uploaded. Now-whitelisted collectorId values can still be used to exploit vCenter...") VMware users need to be alert to ensure they remain secure.
The company suggested in a Q&A shared alongside its mid-month security advisory that it was taking a look at its development processes, saying "our product teams always look at the situation surrounding a vulnerability to see why the issue wasn’t caught as part of our secure development processes. We make improvements to our own processes that help future releases" -- but also hinted that poor customer configuration was often to blame for security issues, noting that "VMware has typically been focused on product security capabilities, and generally avoided prescriptive or opinionated statements on how folks should run their businesses. Security is a very process-driven field, though, and by not explicitly showing best practices we have left a gap for many customers who are not as security-knowledgeable as they might need to be nowadays. We are working to fix that with more prescriptive guidance, which is already apparent in the updates to the vSphere Security Configuration Guide."
When it comes to bug bounty programmes meanwhile, for reasons not shared with us, VMware (unlike all the cloud hyperscalers and many other software companies including SAP) appears to have decided it is not an avenue it wants to go down. We would welcome your views on this....