
A method to mathematically prove that a hacker has found a software bug, without revealing details of how the exploit works, could prevent companies from ignoring security vulnerabilities.
It is generally considered good practice for security researchers and ethical hackers who find a bug to disclose it to the software鈥檚 creator before going public, ensuring there is time to fix it. Many companies have launched bounty programmes that reward those who discover flaws in their systems to incentivise reporting and improve security.
However, things aren鈥檛 always so simple. Companies can deem a submitted vulnerability to be trivial and refuse to either fix it or pay a reward. In that scenario, the person who found the bug faces an ethical dilemma: do nothing and leave a vulnerability unfixed, or publicly disclose the details to force the company鈥檚 hand and put users at even greater risk temporarily.
Advertisement
Now, at software company Galois and his colleagues have developed a system that they say solves this problem. They use a method called a (ZKP) to verify that there is a vulnerability in a certain program, while keeping details secret. This would create public pressure for a fix without allowing hackers to exploit it in the meantime.
ZKPs were discovered in the 1980s and provide a mathematically verifiable way for one person to prove knowledge of a certain thing, without revealing any details. It has been suggested that they could be used by states to prove that nuclear warheads had been destroyed or to protect banking transactions.
鈥淵ou can shame them into doing it, basically,鈥 says Cu茅llar. 鈥淭here are a lot of frustrated people trying to disclose vulnerabilities, or saying 鈥業 found this vulnerability, I鈥檓 talking to this company and they鈥檙e doing nothing鈥.鈥
The team created a piece of software that analyses the source code of a program, along with details of how a flaw in the code can be exploited to extract data that should be protected. This software then produces a mathematical proof that the flaw exists, without giving any details. By running the ZKP through the software again, anyone can verify that the flaw in the original program exists.
has been an active bug bounty hunter for 15 years, submitting those he finds to the bug bounty scheme HackerOne. He says that ZKPs are a clever solution to specific problems, but he does have concerns that they could create a 鈥渞ansom effect鈥.
鈥淚 can tell you 鈥榟ere鈥檚 the zero-knowledge proof that I found the vulnerability, now pay me鈥. And now there鈥檚 negotiation over how much they pay. It gives power to the attacker, but it also maybe gives too much power,鈥 he says.
Others are sceptical that the tool, which adds a layer of complexity to reporting bugs, is needed at all. at Old Dominion University in Norfolk, Virginia, says he struggles to see a scenario where a ZKP of a vulnerability is more useful than the details of the vulnerability itself.
鈥淓veryone who鈥檚 introduced to zero-knowledge proofs falls in love with them,鈥 he says. 鈥淪o, as I read this paper, on one hand, I鈥檓 fascinated: this seems like it would work, it鈥檚 cool, I鈥檓 excited. On the other hand, it seems like a solution in search of a problem.鈥
Reference: