RSAC 2017: The end of easy cash bounties

Last week was unusually rich for the crowd security testing industry in terms of major events and announcements, many of which occurred during the RSA Conference.

Among the positive news, is the US government's announcement to keep their bug bounty program under Trump Administration, giving confidence both to security researchers and to startups raising new millions from wealthy investors. Open Bug Bounty announced 100,000 submissions with over 35,000 fixed vulnerabilities. Meanwhile, new companies, inspired by existing crowd security startups, launched new platforms dedicated to security testing of IoT and other smart devices.

However, probably one of the most important news for the crowd security testing community is a partnership announced between Qualys, the global leader of automated security testing, and Bugcrowd, a prominent bug bounty platform. Henceforth, vulnerabilities detected by Qualys WAS won't be eligible anymore for an award in bounty programs of joint customers. In brief: security researchers, making easy cash by reporting trivial security flaws, are out of the game now.

The days of unregulated Wild West bug bounty market are gone. Such a move was predictable, and is pretty reasonable. In one of my previous articles, I already spoke in details about certain advantages and pitfalls of bug bounties, including bug bounty fatigue phenomenon that was presented a bit more in detail at Black Hat last year.

The issue is actually quite simple: companies running bounty programs for years are usually much less tested, both in terms of quality and quantity, than newcomers. This is because a bug hunter's chance to spot a rewardable vulnerability in a reasonable amount of time are almost zero – everything was already found and reported. Instead, security researchers are quickly jumping on new targets using Google dorking and arsenals of vulnerability scanning software to report the easiest security vulnerabilities before the others, and then switching to the next easy target. Such vulnerability reporting model was quite sustainable until now.

Now companies will benefit from the new approach: the exclusion of simple XSS and similar vulnerabilities from the scope of bounty payment will reduce the volume of garbage traffic, as well as increase an average quality of testing. However, how many skilled security experts will be attracted to spend days and nights on sophisticated vulnerabilities detection without any guarantee to get ever paid? This is questionable, especially taking into consideration a global shortage of cybersecurity professionals.

Mark Barwinski, MSc, CISSP, CISA, cybersecurity director at PwC, comments: "Evolving and maturing bug hunting programs are redefining their criteria while containing costs. Dialing down the noise level is welcomed, however, a security segment traditionally short on skilled researchers may be on the verge of greater and significant pressures as we accelerate digitalization efforts."

Crowd bug hunting is now on the road to becoming a mature instrument in the security testing arsenals of large companies and organizations that operate non-critical public-facing systems. Refusal to pay for vulnerabilities, which Qualys WAS and automated solutions can easily detect at a fixed cost, will certainly make bug bounties more cost-efficient by eliminating newbies sending logs of vulnerability scanners demanding cash. However, if the newbies now turn to cybercrime, how many security professionals will be motivated to conduct regular and comprehensive security testing on the new conditions?