Bugs for cash: Bounty hunters in the new wild west of security

The business of bug hunting is a potentially lucrative one for both seasoned security researchers and amateurs with an interest in hacking. It’s an area that’s gaining legitimacy thanks to official bug bounty programs and hacking contests, but there’s still a seedy underbelly that unscrupulous bounty hunters can take advantage of if they successfully identify a vulnerability.

The average cost of a data breach is $3.8 million, according to research by the Ponemon Institute. It’s not hard to understand why so many companies are now stumping up bounties. It can also be very difficult, time consuming and expensive to root out bugs and flaws internally. Turning to the wider security community for help makes a lot of sense, and where there’s need there’s a market.  

Let’s take a closer look at how the market works.

White market for bugs

Assuming you are a law-abiding, morally upright citizen, you have three options when you identify a serious flaw:

1. Submit directly to the vendor
2. Submit to a third-party bug-bounty program
3. Submit to a hacking contest

Big players such as Google, Samsung and Facebook all offer bounty programs. Back in 2014, Facebook fixed 61 high-severity flaws through its bug bounty program. Since its bug bounty program began in 2011, the social media giant has doled out more than $4.3 million to more than 800 researchers after receiving in excess of 2,400 valid submissions, according to its 2015 Highlights report.

A lot of flaws can earn a lot of money

We’re also seeing the rise of many third-party platforms, such as Bugcrowd. These companies allow clients to list applications they want tested and offer bounties that crowdsourced security talent compete for. Tesla, Western Union, Pinterest and many other companies are customers. Founded in 2012, Bugcrowd boasts that more than 27,000 researchers have identified more than 53,000 vulnerabilities for more than 250 companies since it started trading.

Hacking contests such as Pwn2Own are another option. Hackers demonstrated 21 new vulnerabilities in attacks on browsers and operating systems this year. There are sometimes large cash prizes, and job offers are likely to follow for anyone who finds a big vulnerability that doesn’t involve jumping through too many hoops. Sometimes companies, including Google and Microsoft, run their own hacking competitions.

The dark side of bug bounty hunting

Beyond the white market, there’s also a gray market, with questionable legality. Security researchers can sell vulnerabilities to private brokers with policies about only selling to ethical and approved sources. In that case, the vulnerability may end up being used to spy on private citizens suspected of crimes or used to shut down a terrorist organization, according to Hewlett Packard Enterprise’s Cyber Risk Report 2016. However, it’s often unclear, and sellers can only guess at how the vulnerability may have been used.

In the black market, which is unquestionably illegal, buyers simply sell to the highest bidder. It might be sold to a cybercriminal or network of criminals. It might also be used for corporate spying or even national spying. The seller generally has no insight into how the vulnerability will be used, but it’s a safe bet that someone is going to end up at a disadvantage.

Slow to respond

Finding vulnerabilities is just the beginning. Far too many developers are slow to act to patch those flaws. This can lead the researchers who uncover them to disclose flaws publicly, piling on the pressure for the vendor to take action. They might lose out on a potential bounty, but they’ll still be able to discuss the flaw and benefit from making their discovery of it public.

Even when the developer does patch an exploit or vulnerability, far too many companies are even slower to remediate. You might think that known solutions would be enacted immediately, but that’s simply not the case. Known vulnerabilities often persist much longer than they should, allowing cybercriminals to continue exploiting them long after they’ve been revealed. For example, hundreds of cloud apps were still vulnerable to DROWN weeks after it was unveiled.

Offering bounties can be cost-effective for businesses, and it may go some way towards persuading researchers or hackers to aim for the white market, rather than the gray or black. But they have to act quickly to deal with vulnerabilities and protect their customers. The longer it takes to deal with flaws, the greater the risk that would-be attackers will weaponize them.   

Aiming for the good white-hat-wearing side even further, a smart approach can entail using systems development lifecycle (SDLC) and Open Web Application Security Project (OWASP) programming standards. Also, a well-thought-out vulnerability management program that includes application penetration testing will go a long way in securing any and all applications.  

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.