Although bug bounty programs have massive advantages, it is essential for both organisations and hackers to not rely on them.
Restaurant aggregator and food delivery company Zomato promises to pay $4000 to anyone who finds a bug in their website. The Bug Bounty program is a full-fledged business, and bug bounty hunter is a professional career choice today. From the Pentagon and Goldman Sachs to Microsoft and thousands of small businesses, these programs are popping up everywhere.
Considering just one platform, HackerOne has 800,000 hackers registered and paid $44 million in cash reward in 2020 alone. The numbers are overwhelming, but it’s good to know there’s a community of “friendly hackers’.
Also Read: Are Middle East Businesses More Resilient Than Global Counterparts?
The Start of Something Better
A couple of decades ago, several software vendors received bug reports from security researchers, aka ethical hackers, for free. With proper day jobs, they did their research on the sidelines, or they were experts at security teams and indulged in pro bono work as a way to promote their research teams.
Soon, several high-profile bug hunters got together to raise their voices against it. Apart from the possible monetary value of bug reports and the legal actions of being sued, threatened, or imprisoned were reasons to stop and re-consider the pro bono practice. The success of the ‘No More Free Bugs’ Movement paved the way for the rise of bug bounty programs.
Bug bounty programs came into existence as agreements offered by certain companies to ethical hackers who are rewarded for reporting or finding security vulnerabilities. The end goal is to fix a vulnerability before it becomes common knowledge or cybercriminals discover it. However, in recent times, companies across industries are investing in a model that is more diverse, customisable, and inexpensive. Apart from the popular global bug bounty programs like HackerOne, BugCrowd, Cobalt, Safehat, and Intigriti, some of the top bug bounty programs in the Middle East include Saudi Federation for Cyber Security and Programming’s (SFCSP) BugBounty and CROWDSWARM.
Sometimes, due to the proliferation within the bug bounty market, maintaining a successful program gets complicated. Experts believe it is important to have a strong strategy before implementation.
Bug Bounty 101
There are in-house models and outsourced models, and both possess merits and drawbacks.
Most multinational enterprises choose an in-house program that usually includes a documented public-facing submission. On the other hand, outsourced programs are as-a-service models where companies partner with third parties. While in-house bug bounty programs can have personalised rules over alert triaging, program fine-tuning, and best practices, they require a lot of time, money and resources. Outsourced programs are far more affordable but not under the control of the company.
Despite the choice, companies need to ensure they are equipped with vulnerability management capabilities. Experts reckon companies must add a bug bounty scheme into the business strategy only when the CISO is ready to commit to a vulnerability discovery followed by its remediation. If the company is consistently failing to patch known vulnerabilities, it must channel its focus to fixing internal security first. Inviting hackers into the system without enough self-protection is unwise. It is also recommended that companies first indulge in an internal bug bounty program as a small-scale project and gauge the security management capability and understand the bug bounty requirements.
Finally, companies must be aware of the risks that come with bug bounty programs. They do not stop at the inability to fix the bug. They must be mindful of their internet-facing infrastructure and product footprint. How would a vulnerability impact the business? It is also possible that some hackers make honest mistakes or act in bad faith. Having a well-researched strategy, including bounty policies, is helpful.
With consistent advancements in technology and digitisation, bug bounty programs should be flexible. Experts reckon that today’s efficiency might be insufficient soon. Even a company’s internal security requirements might evolve with the launch of new products and services. Otherwise, the business can open up to new threats.
Also Read: Darker Side Of The Web
The Recent Bounty Overflow
There have been several news reports of losses of revenue due to vulnerabilities, the launch of programs, and the bug bounty rewards. For instance, Yearn Finance launched its bug bounty program recently with payment offers of up to $200,000. Apart from locating vulnerabilities, Yearn Finance hopes for protection from flash loan attacks that cost them $11 million loss of revenue earlier.
Attracting hackers to invest their time with $10,000 as a reward, Asian e-commerce giant Lazada launched its first bug bounty program with YesWeHack. On the other hand, Immunefi has already paid $3 million in bounty. Since their launch in 2020, they have protected over $25 billion worth of user funds.
Freelance hackers have also benefitted from the programs. For instance, an Indian bug hunter Mayur Fartade was rewarded $30,000 for identifying a vulnerability in Instagram that could have exposed private account details, and Shdeed Nawaf al-Mutairi from Saudi Arabia reported a bug, Insecure Direct Object Reference along with instructions, to Harvard University.
Meanwhile, a DoS vulnerability was found by ethical hacker afewgoats and disclosed through a GitLab bug bounty program run by HackerOne. Experts state that the DoS issue can be resolved by updating installations to the latest version of Gitlab. GitLab aims to become more bug-hunter-friendly where they offer dual-use security research collaboration, which will be withdrawn if abused.
The Cobra Effect
During the second half of the 19th century, there was a growing population of venomous cobra snakes in India. To end the threat, authorities began to offer bounties to anybody who turned in a dead cobra. It was a tremendous success.
With the growing rate of dead cobras, it was assumed that the nation would soon become cobra free. But much to the horror of the government, it only increased. Upon investigation, it was found that hunters hungry for the easy rewards had begun to breed the snakes and kill them to keep their newly-found income stable.
The authorities shut down the bounty program. What did the hunter-breeders do with the worthless cobras? They let them free. The streets crawled with cobras, the population higher than ever before. The bottom line was that a program initiated to eliminate threats only caused a dramatic increase. Thus the term, cobra effect.
Also Read: What Marketers Don’t Know About AI
The Responsibility of Security Leaders
Experts warn companies to be wary of the cobra effect that could seep into their bug bounty program. The hackers are offered monetary compensation and leaderboard glory, but some rogue hackers might misuse the power endowed upon them.
Another reason for the rise of bug bounty programs and hunters are the software vendors themselves. There are two ways to eliminate vulnerabilities. Investing in extensive secure-by-design development, cost testing, deep analysis, and fuzzing, or detect faults after the code has been transferred to production. Although it is important to do both, many vendors then choose to assign the liability of identifying vulnerabilities in their products to the hunters as it is cheaper to maintain than a team of security personnel. The danger of unsolvable vulnerabilities is always looming. Experts strongly suggest vendors reconsider their strategies as it might backfire in the long run.
Although bug bounty programs come with massive advantages, it is important not to be bound by them. Offering incentives to companies that comply with security standards can be beneficial. For instance, companies with trained software developers can give legal protection to companies who can write secure code and include it in the products at the development stage. They are then protected from cybersecurity civil litigation. If companies do not comply, they can be sued for a weak security system.
Troubles of an Ethical Hacker
While it is possible that some hackers could steal data or introduce a vulnerability, many ethical hackers are helplessly judged and threatened.
Ethical or not, having the word hacker in the designation title is an entitled risk. They risk being assumed to have violated the Computer Fraud and Abuse Act (CFAA). In the US, the community heaved a sigh of relief on the recent upgrade of the definition of unauthorised access, where the act criminalises only violations of data access from prohibited files. Experts add that ethical hackers need to be given whistleblower protection as some companies can threaten them with legal action for finding lethal vulnerabilities in their products. The Middle East community hopes for focused regulations, too, as more countries are beginning to rope in bug bounty programs, more recently being Iran.
Unfortunately, many ethical hacker communities believe that several reported vulnerabilities through alternative channels get ignored or don’t get patched soon enough. A Belgian-based bug bounty platform Intigriti revealed that 12 per cent of their submissions failed to reach the appropriate security teams.
Yet, the fight is strong. The massive ecosystem of bug bounty hunters has created several training programs, books, conferences, and companies at their disposal. With enough incentives such as bounty rewards, friendly hacker status, or the pure joy of discovering bugs, white hat hackers continue to work towards destroying the illegal activities of black hat hackers.
