AusCERT 2018 - The art of bug bounty programs

Bug bounty programs have become extremely popular over recent years. The idea is you release some software, either to the public or in a closed beta program and unleash a swarm of security engineers to find vulnerabilities and security problems in your application or service. Depending on the severity of the issues they find, you compensate them. For example, in the most recent release of Google's Chrome web browser, security researchers were awarded as much as US$5,000 for finding and reporting issues.

Katie Moussouris (Twitter: @k8em0) is a noted authority on bug bounties. She helped the US Department of Defense start the government's first bug bounty programs, "Hack the Pentagon," and "Hack the Army", created Microsoft's bug bounty programs, and started Microsoft Vulnerability Research. She opened the second day of the annual AusCERT conference, discussing the challenges and opportunities that a successful bug bounty program presents.

Moussouris told the audience the number of common vulnerabilities and exposure counts, one of the main tools we use for counting and tracking threats and vulnerabilities has doubled. As the problem gets larger as we deploy more devices with a wider array of use cases through IoT, autonomous vehicles and other tech, the tools and systems we have in place to overcome the challenges become more difficult to apply. 

When Microsoft launched its bug bounty program with Moussouris, they had to shift their mindset. Previously, they operated with a "no hacker will ever access our systems" perspective to one where bug bounties were embraced as a way to deal with the massive number of issues that were being uncovered in their software. Similarly, the Pentagon. needed to change their perspective as it used to be illegal to even report a vulnerability.

"Bug bounties are really important to me", said Moussouris. "But constructing them in a way that doesn't amplify the wrong kinds of signal, the wrong kinds of noise".

That's against a backdrop of a world where bug bounties are becoming increasingly popular as we struggle to keep up with the number, scope and scale of the vulnerabilities we face. Throwing more money at the problem hasn't solved the problem of vulnerability management. 

While the creation of patches and other fixes has been important, we simply haven't been able to keep up with the gap between the creation of a patch and its installation. Moussouris said that windows points to a deficiency in the entire ecosystem.

The problem, she said, lies in "The gap between the patch being ready and available, and this window of opportunity where attackers can take advantage of when this patches have not yet been deployed".

When it comes to vulnerabilities, Moussouris said there are three ways we can learn about them. 

Firstly, there's ethical disclosure where an outsider tells you about a problem they've discovered. You can also conduct penetration tests where insiders, either staff or contracted specialists, scan your systems looking for vulnerabilities. And there are bug bounties where you reward security investigators for finding flaws in your systems.

Having seen the success of other bug bounty programs, businesses embrace this new way of finding vulnerabilities but aren't prepared for what might come in. They haven't considered the question as to whether the researchers looking at their systems are friends or foes. And the conditions of the program might not adequately protect either you or the hacker from legal harm.

Bug bounty programs need to define what a breach actually is, what is in scope during the bounty program and factor in the impact of a breach. For example, it's important that if a researcher accesses PII or other confidential data during their investigation, that they don't access more data than necessary to prove the issue. For example, in one case, a researcher accessed tens of millions of records from Uber to prove a vulnerability.

It's also important to have the requisite skills and personnel numbers to deal with the incoming breaches.

Read more: Intel dangles $250k award for bugs worse than Meltdown-Spectre

"If you cannot handle incoming bug reports from today's devices, what hope do you have against autonomous vulnerability discovery methods," said Moussouris. 

Although, on the face of things, bug bounty programs look like they are about money, that's not the case said Moussouris. She said you don't have outbid the offensive market as you can motivate researchers in lots of ways. 

"Non-monetary incentives are huge, " she said. "Challenge points are a thing a lot of people work for". 

One of the things Microsoft did was give hackers who reported vulnerabilities through bug bounty programs access to specialised clothing for their Xbox avatars.

Other incentives can include placing a cap on the number of hackers that participate in the program, and asking for hacking techniques rather than specific bugs as these are more valuable.

While bug bounty programs are becoming increasingly popular, Moussouris said they aren't a replacement for pen testing. Instead, she said they are complementary as they can be used to clear the low hanging fruit so your pen testing team can focus on critical issues. She also noted that the money on offer sometimes attracts lowly-skilled hackers focussed on the relatively-easy-to-fnd cross-side scripting errors rather than more serious problems.

Bug bounty programs aren't just about unleashing the hounds at the meat of your software and systems. They can be a targeted activity that attracts people, through appropriate incentives, to complement your existing security processes and help you strengthen your security posture.

Tags password protectionBug bounty

Show Comments