One area of 2013 that has really interested me has been around bug bounty payments and the trading
With the introduction of the Hacker One
programme, Yahoo’s situation
regarding payment for a bounty and the dilemma
of who you sell a bug too, the story has been prominent throughout this year.
from Kaspersky from this year said that it encouraged attention to be paid to “the flourishing, unregulated marketplace where zero-day exploits are traded among agencies with unlimited budgets”; while the Hacker News
reported that a Windows OS sells for up to $250,000
and Google paid approximately $580,000 over three years for 501 vulnerabilities discovered in the Chrome browser.
Penetration tester Robin Wood told IT Security Guru that if a researcher is looking for money then who they sell to is based on their personal morals, while some will just go for the highest bidder and some will sell to a “friendly” bidder. “I’ve done some research that was passed to the company and fixed silently as the company was friendly and responsive but I’ve done other work I’ve made public after the after the company didn’t show interest in fixing the problems,” he said.
In order for those white hats to not only submit bugs, but also find who pays bounties, resources have emerged over the past 12 months to enable the vendor and white hat to meet in the middle. Jeremiah Grossman, CTO and founder of WhiteHat Security said that a year or two ago, you could count the number of programs with your fingers but today, the list is quite large and growing larger by the day.
“The market, the industry and the researchers have adopted them. I’ve talked to more than a dozen program operators and every single one of them has said their program has worked phenomenally well, even to the point where it’s putting value pressure on the classic professional pen-test model,” he said.
“Not a single one I’m aware of has had a horror story, let alone cackled the program. Bounty programs have the ability to shake up the way security consulting and disclosure works in general.”
Grossman in particular pointed to bug bounty “brokers
” Bugcrowd. Its founder and CEO Casey Ellis told me that despite only being eight people, it had attracted more than 4,000 testers to submit bugs and upon approval, get paid via Bugcrowd.
Ellis told IT Security Guru said that the number of options has increased for two reasons: larger firms who have been doing it for a while and new companies for whom “it just makes sense”.
He said: “When you look at the threat that an application is facing it looks like a crowd, so it makes sense to use a crowd to counter that threat. An attack requires lots of hackers and skillsets and time, when you ar
e defending the more eyes you have got on a target, the better.
“We make it very easy to sign up and establish a level of trust. We give the companies the opportunity to be proactive and make sure they are rewarded for that, but if you don’t have an issue with testing it is a grey area and if you do it you can attract pretty good talent.”
Ellis admitted that the concept of kudos around bug bounties has evolved to the stage where big companies wouldn’t hire someone if they were not on a hall of fame. “You can have work experience and certifications and practical experience, but to be on a wall of fame on a company’s bug bounty program means you have proven your capabilities with a security vulnerability in the wild, which is a big part of what we are trying to encourage with profile pages and make this a resume for security researchers.”
The concept of Bugcrowd works by the company sitting in the middle and allowing bugs to be submitted through the portal, and validating it to be a true issue. “The finder gets rewarded and the company gets the details of the issue to go and fix it,” Ellis said.
He claimed that there is an undercurrent of the hacker culture of people wanting to learn and with more opportunities offered and it being easier, they help make that better.
“There is a term ‘skating to where the puck is going to be’ and we have done that to an extent, and the other side is putting a lot of effort into the community and once you get the guys onside, there is quite a lot of sentiment,” he said.
Grossman said that the number of available bounty programs has exploded as he had predicted. “In my experience no vendor has been ‘pushed’ into offering a bounty program – heavily encouraged maybe, but not pushed. Each organisation has figured out offering a bounty program brings unique business value or they simply wouldn’t offer one and as we see, the rewards need not be exceptionally high to make program attractive.
“The market is still very small, but likely will change in the years to come. Most bounty programs will spawn and bounties will rise.”
As I investigated a few months ago, there is an ethical decision to be made when it comes to selling vulnerabilities; do you do it to the vendor, to a hacker or even a Government?
The method to provide it ethically to the vendor has become a lot easier thanks to the likes of Bugcrowd and businesses are realising that too – as a huge number of companies are now registered with them and this is changing the way that companies are dealing with white hats and fixing their bugs. I usually let others predict for the future, but this model may be replicated elsewhere next year as zero-days become more and more prominent.