To bug bounty or not?

Your organisation doesn't have security weaknesses. Okay, maybe a few but you invest enough in security that you don’t need the whole Internet to help out. But what if it can?

“Bug bounties are the new boy band.” So said Oracle’s chief security officer Mary Ann Davidson last year in a controversial blog post lambasting security researchers for flooding it with bogus bug reports.

Davidson said that Oracle found 87 percent of bugs, customers found 10 percent, and external researchers found just three percent. And she complained that researchers often sent false positive reports, wasting precious internal security resources. Essentially, Oracle didn’t help from these researchers, she said.

But does it make sense to completely shut out people who could help find that one bug that prevents a breach?

Noted security researcher, Katie Moussouris, told CSO Australia she was spot on about one thing.

“If your organisation isn’t finding the majority of your own bugs, you’re definitely doing it wrong. You should invest in your own security team, tools and processes. But that doesn’t mean you should make hackers that want to report things to you feel unwelcome because honestly you want to hear about all the vulnerabilities so that you can fix them.”

In 2016, vulnerability disclosure and bug bounty programs are not new, particularly in Silicon Valley. But while some traditional firms, such as United Airlines and General Motors have ventured into the territory, many organisations still baulk at inviting hackers to find bugs in company systems. Many still lack process for external researchers to report bugs and it remains common for researchers to receive legal threats when they do report them.

Microsoft has run a vulnerability disclosure program for years, but only in 2013, after several years of pressure from Moussouris then at Microsoft, did it launch its first bug bounty program.

Moussouris recently left third-party bug bounty platform provider HackerOne to start a security consultancy that advises software firms and enterprise organisations on how to develop or improve vulnerability disclosure and bug bounty initiatives.

The most recent organisation she helped was the US Department of Defense, which in May launched the “Hack the Pentagon” bug bounty on HackerOne.

Moussouris sees the DoD’s bounty program as a game changer for the concept, particularly for organisations shy to admit they need outside help.

“The fact that it’s DoD is significant because it’s in charge of one of the most powerful military organisations in the world. If that organisation is saying we need help from the hacker community, that legitimises the whole concept of working directly with hackers. It takes away the stigma that a lot of organisations have of admitting that they have security weaknesses,” she said.

Bug bounties find bugs and talent

For now the DoD program is a 20 day pilot running through May and is limited to a narrow set of DoD websites, but it has spawned discussion among government agencies around the world, particularly in Five Eye nations, according to Moussouris.

Still, the concept of inviting hackers to attack corporate systems is alien to many organisations and problematic for regulated firms, such financial service and healthcare organisations. Unlike an individual penetration-testing firm, bug bounty hackers aren’t under contract, and haven’t signed non-disclosure agreements.

Organisations are also concerned that a bug bounty could leave them inundated by a flood of reports from researchers. One of Oracle’s Davidson main complaints was over resources being tied up responding to false positives.

DoD moved cautiously on its bounty program. It first approached Moussouris about the idea prior to her departure from Microsoft in 2014 and didn’t raise it with her again until late last year, after the Pentagon created the Defense Digital Service (DDS). The small tech savvy unit has a charter to explore alternatives to usual government procurement routes.

Nearly every economy is facing a cyber-security skills shortage and addressing that, according to Moussouris, was one of the key goals of Hack the Pentagon. By the middle of the pilot it had engaged more than 1,000 people, she said.

Microsoft had a similar talent agenda with its bug bounties, the first of which focussed on “defensive ideas” under the $100,000 Mitigation Bypass Bounty.

“It also helped to identify a whole new pool of talent that wasn’t necessarily identifiable out of the population because it was so attack oriented,” said Moussouris.

Bug bounties come in all shapes and sizes

Australia-founded bug bounty startup Bugcrowd, which targets its offering at the enterprise, is riding a wave of interest in crowdsourced security. In April, the company closed a $15 million Series B round to expand its business, including its community of 27,000 hackers.

Bugcrowd CEO Casey Ellis told CSO Australia that people don’t realise that most of its programs are actually run in behind closed doors.

“People think the a bug bounty is one size fits all, that trust is not possible, and it necessitates inviting the entire Internet to participate. The reality is very different. The majority of the programs Bugcrowd run are private using hackers we've vetted for skills and trust,” said Ellis.

“Sometimes this includes things like ID checking and background checking as well, and sometimes it includes things like providing trusted access, access to source code, and delivery for pre-release products. Our focus has been to take the core idea and make it consumable by companies no matter what their level of risk tolerance,” he added.

There’s also the question of cost. Ellis said Bugcrowd’s “Flex programs”, which is the equivalent of a classic penetration test on the web, mobile, IoT, or source code start at US$22,500. HackerOne estimates the total annual cost for its platform ranges between $46,000 and $600,000, depending on the size of an attack surface.

Ellis said that for Bugcrowd’s “traditional customers” it creates a program budget and manages the cost of the the service and the payouts to a capped amount.

But big cash prizes aren’t always necessary and sometimes a little creativity can go a long way.

The Netherlands National Cyber Security Center (NCSC) was the world’s first government agency to launch a bug bounty. These days it may pay researchers up to $300 for a bug report, but it started out with a t-shirt, but not just any t-shirt, according to Moussouris.

“The t-shirts that they give to hackers says: “I hacked the Dutch Government and all I got was this lousy t-shirt”. I think that’s so hilarious. They really understand that audience,” said Moussouris.

Tags OracleSigmaDDSBug Bounty ProgramDoDUnited AirlinesBugcrowdBug bountyCSO Buyers GuideMitigation bypass bountyNCSC

Show Comments