To bug bounty or not?

Your organisation doesn't have security weaknesses. Okay, maybe a few but you invest enough in security that you don’t need the whole Internet to help out. But what if it can?

“Bug bounties are the new boy band.” So said Oracle’s chief security officer Mary Ann Davidson last year in a controversial blog post lambasting security researchers for flooding it with bogus bug reports.

Davidson said that Oracle found 87 percent of bugs, customers found 10 percent, and external researchers found just three percent. And she complained that researchers often sent false positive reports, wasting precious internal security resources. Essentially, Oracle didn’t help from these researchers, she said.

But does it make sense to completely shut out people who could help find that one bug that prevents a breach?

Noted security researcher, Katie Moussouris, told CSO Australia she was spot on about one thing.

“If your organisation isn’t finding the majority of your own bugs, you’re definitely doing it wrong. You should invest in your own security team, tools and processes. But that doesn’t mean you should make hackers that want to report things to you feel unwelcome because honestly you want to hear about all the vulnerabilities so that you can fix them.”

In 2016, vulnerability disclosure and bug bounty programs are not new, particularly in Silicon Valley. But while some traditional firms, such as United Airlines and General Motors have ventured into the territory, many organisations still baulk at inviting hackers to find bugs in company systems. Many still lack process for external researchers to report bugs and it remains common for researchers to receive legal threats when they do report them.

Microsoft has run a vulnerability disclosure program for years, but only in 2013, after several years of pressure from Moussouris then at Microsoft, did it launch its first bug bounty program.

Moussouris recently left third-party bug bounty platform provider HackerOne to start a security consultancy that advises software firms and enterprise organisations on how to develop or improve vulnerability disclosure and bug bounty initiatives.

The most recent organisation she helped was the US Department of Defense, which in May launched the “Hack the Pentagon” bug bounty on HackerOne.

Moussouris sees the DoD’s bounty program as a game changer for the concept, particularly for organisations shy to admit they need outside help.

“The fact that it’s DoD is significant because it’s in charge of one of the most powerful military organisations in the world. If that organisation is saying we need help from the hacker community, that legitimises the whole concept of working directly with hackers. It takes away the stigma that a lot of organisations have of admitting that they have security weaknesses,” she said.

Bug bounties find bugs and talent

For now the DoD program is a 20 day pilot running through May and is limited to a narrow set of DoD websites, but it has spawned discussion among government agencies around the world, particularly in Five Eye nations, according to Moussouris.

Still, the concept of inviting hackers to attack corporate systems is alien to many organisations and problematic for regulated firms, such financial service and healthcare organisations. Unlike an individual penetration-testing firm, bug bounty hackers aren’t under contract, and haven’t signed non-disclosure agreements.

Organisations are also concerned that a bug bounty could leave them inundated by a flood of reports from researchers. One of Oracle’s Davidson main complaints was over resources being tied up responding to false positives.

DoD moved cautiously on its bounty program. It first approached Moussouris about the idea prior to her departure from Microsoft in 2014 and didn’t raise it with her again until late last year, after the Pentagon created the Defense Digital Service (DDS). The small tech savvy unit has a charter to explore alternatives to usual government procurement routes.

Nearly every economy is facing a cyber-security skills shortage and addressing that, according to Moussouris, was one of the key goals of Hack the Pentagon. By the middle of the pilot it had engaged more than 1,000 people, she said.

Microsoft had a similar talent agenda with its bug bounties, the first of which focussed on “defensive ideas” under the $100,000 Mitigation Bypass Bounty.

“It also helped to identify a whole new pool of talent that wasn’t necessarily identifiable out of the population because it was so attack oriented,” said Moussouris.

Bug bounties come in all shapes and sizes

Australia-founded bug bounty startup Bugcrowd, which targets its offering at the enterprise, is riding a wave of interest in crowdsourced security. In April, the company closed a $15 million Series B round to expand its business, including its community of 27,000 hackers.

Bugcrowd CEO Casey Ellis told CSO Australia that people don’t realise that most of its programs are actually run in behind closed doors.

“People think the a bug bounty is one size fits all, that trust is not possible, and it necessitates inviting the entire Internet to participate. The reality is very different. The majority of the programs Bugcrowd run are private using hackers we've vetted for skills and trust,” said Ellis.

“Sometimes this includes things like ID checking and background checking as well, and sometimes it includes things like providing trusted access, access to source code, and delivery for pre-release products. Our focus has been to take the core idea and make it consumable by companies no matter what their level of risk tolerance,” he added.

There’s also the question of cost. Ellis said Bugcrowd’s “Flex programs”, which is the equivalent of a classic penetration test on the web, mobile, IoT, or source code start at US$22,500. HackerOne estimates the total annual cost for its platform ranges between $46,000 and $600,000, depending on the size of an attack surface.

Ellis said that for Bugcrowd’s “traditional customers” it creates a program budget and manages the cost of the the service and the payouts to a capped amount.

But big cash prizes aren’t always necessary and sometimes a little creativity can go a long way.

The Netherlands National Cyber Security Center (NCSC) was the world’s first government agency to launch a bug bounty. These days it may pay researchers up to $300 for a bug report, but it started out with a t-shirt, but not just any t-shirt, according to Moussouris.

“The t-shirts that they give to hackers says: “I hacked the Dutch Government and all I got was this lousy t-shirt”. I think that’s so hilarious. They really understand that audience,” said Moussouris.

Join the CSO newsletter!

Error: Please check your email address.

Tags United AirlineshackersSigmaBug bountyNCSCDDSMitigation bypass bountyBugcrowdOracleBug Bounty ProgramCSO Buyers GuideDoD

More about CSOMicrosoftOracleUnited Airlines

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place