The case for taking the ‘bug’ out of bug bounties

One of the most influential voices in cybersecurity, Katie Moussouris, should be waxing triumphant. She spent years enthusiastically promoting bug bounty programs as a way of both easing the industry’s severe talent shortage and improving digital security for companies and their customers. Now, some of the world’s biggest corporations are following her advice, collectively shelling out millions of dollars annually to freelance digital sleuths who uncover bad code.

But instead of celebrating the rapid growth in bug hunters worldwide and the new crop of startups fueling the marketplace of ethical hackers who find and report software vulnerabilities, Moussouris says the system that she helped pioneer has taken a wrong turn.

“Bug bounties are an imperfect approach to fixing the critical vulnerabilities,” says Moussouris, CEO of the consulting firm Luta Security. The amplified role of cash bounties and the increasing size of those bounties have produced more bug hunters, she says, but not more bugs—at least not of the kind that lead to data theft and disrupted networks.

For the chief security officer or chief information security officer who’s considering a bug bounty program or expanding an existing one, Moussouris’s concerns should serve as a caution light. Companies can benefit from getting the universe of freelance hackers to poke around in their software looking for flaws. But if these organizations want to find the most critical problems, they’ll have to be thoughtful about how they set up their bounty programs—the hackers they include, the incentives they offer, and the targets they invite them to probe.

The crowdsourcing approach has added as many as 200,000 hackers to the undermanned cybersecurity workforce in the past four years, making it a significant element in the security strategies of numerous businesses, from startups to multinational corporations in the Forbes Global 2000.

Related coverage: Crowdsourcing cybersecurity

That growth has been driven by the rise of new cybersecurity companies— HackerOne, Synack, Bugcrowd, and Moussouris’s own firm— that provide a range of services to customers to ensure that hackers are trustworthy, capable, and professional. The benefits include scale—companies supplement their internal security team with hackers from around the world all probing one target—and cost. Depending on severity, payments for a single bug average from a few hundred to a few thousand dollars. That’s a bargain compared to the multimillion-dollar cost of a data breach.

Moussouris, who developed the first bug bounty programs offered by Microsoft and the Department of Defense, says the current model is most effective with new software, which tends to be buggier. But finding the hidden high-impact bugs in mature software and systems requires a more strategic approach to leveraging cybersecurity talent, says Moussouris. Therefore, she says, organizations considering a bug bounty program need to be deliberate about it.

She says taking the “bug” out of bug bounty programs is one vital step: Instead of paying for the discovery of a single computer vulnerability, organizations should offer rewards for software tools and research techniques that can find more significant digital vulnerabilities at scale.

Katie Moussouris, CEO of Luta Security.

For example, Intel recently initiated a special bounty program with a top payment of $250,000 for the discovery of vulnerabilities that could damage or alter the company’s computer processing hardware. But Intel could save time and money by offering a bounty to cybersecurity researchers, like the trio who recently developed a new software tool to help computer chipmakers determine whether their processors are vulnerable to certain cyberattacks.

“Which approach is more cost-effective? The skill set [that researchers have] to think through each level flaw in software is really rare,” Moussouris says. “Nobody in the bounty market is offering a reward for that kind of talent.”

Another issue with the way the bug marketplace has evolved, she says, is that many bounty hunters, especially those overseas, use free automated tools to find software bugs. That’s what she calls “a spray-and-pray approach that catches the easiest vulnerabilities, the low-hanging fruit.”

Companies would benefit more by hiring a low-level security intern to do that same thing, says Moussouris, motivating bounty hunters to up their game and seek out the critical, hard-to-find bugs.

Related coverage: Challenge inspires this ethical hacker

Leaders of other bug bounty management startups agree with Moussouris that the model yields a lot of low-priority vulnerabilities. “When you throw a lot of hackers at a problem, you’re bound to get a lot of noise and you’ll have to sift through their findings,” says Synack CEO Jay Kaplan.

He says his company tries to solve for that by being more selective about the security researchers it employs. Synack also equips its hacker teams with a proprietary automated tool designed to identify the low-level bugs, he says, helping them find critical vulnerabilities more efficiently.

Casey Ellis, founder and chief technology officer of Bugcrowd, acknowledges that the hackers his company works with start out targeting easier bugs, “but [the hackers] up-level their skills over time, getting into more critical and complex issues. They do it for the learning and mental challenge as much as they do it for the cash.”

And while Ellis agreed with Moussouris that broadening the scope of bounty programs as much as possible is a good idea, he notes that companies initiating a program for the first time often prefer a “crawl, walk, run” approach to phasing hacker feedback into their security operation.

“Conferences like DEF CON are filled with hackers sharing the tools of their trade,” says Ellis, referring to one of the most popular cybersecurity gatherings. “But these tools and techniques are also their intellectual property, so we are likely some ways away from buying or selling these as a core strategy for internet defense.”

Of course, tech companies play a significant role in fueling the bug marketplace and ensuring that it maintains credibility and produces results. But a 2016 case involving Uber has become a cautionary tale of bug programs gone awry. After a criminal hacker penetrated Uber’s digital network and stole the personal data of 57 million customers and drivers, the company paid the hacker $100,000 to destroy the data, according to Reuters. But for a whole year, Uber maintained that the payment was a bug bounty reward, even though it was 10 times what it would have paid under its actual bug bounty program.

Moussouris says the fake Uber bounty helped accelerate the price for software vulnerabilities across the board and pulled many more bug hunters into the marketplace at the expense of tech companies. A 2018 report by HackerOne—where Moussouris worked as chief policy officer for two years—notes that the number of hackers registered on its platform rocketed from about 16,000 in 2015 to more than 160,000 in 2017.

Among this cohort, the report adds, “on average, top earning researchers make 2.7 times the median salary of a software engineer in their home country.” This environment of big-payout expectations on the bounty hunters’ side is “turning ethical hackers into scavengers, in a way,” says Moussouris. “Companies are being harassed for a bounty. This was not happening three years ago.” As a result, she says, organizations that could benefit from a bug program may no longer “have their front door open” to the ethical hacker community.

Moussouris’s point that big bounties may be luring talent away from full-time security positions is well taken, says Synack’s Kaplan. “But I’m not sure there is a way around this issue, as the bug bounty model exists because there is such an alarming shortage of talent in the security industry.”

Crowdsourcing in the B2B space is still relatively new, he says. “It will continue to grow and change as the market demands different things. So, really, we’re just getting started.”