Bug bounty programs continue to increase in popularity – but that popularity has its downsides.
Since the launch of the Hack the Pentagon program in 2016, bug bounty programs have quickly grown in popularity. Bugcrowd’s State of Bug Bounty report this year found that the number of programs launched in the past year has jumped by 40 percent.
That includes players such as Google, Facebook, and Microsoft offering high rewards – and with good reason. The programs have helped unearth important vulnerabilities, including a serious flaw in Chrome on Google’s Pixel in 2018 and a massive Facebook remote code execution flaw in 2017.
However, as more programs are created, some companies are forgetting the real reason behind bug bounties. That is, instead of making their systems more secure, companies want to merely hunt bugs. Threatpost talked to Katie Moussouris, founder of Luta Security, to hear more about her thoughts about the challenges in developing – and launching – bug bounty programs.
What are the biggest issues we’re seeing with bug bounty programs right now?
It’s a cause that I have been taking on for the better part of the year at this point. I have noticed that, unlike five years ago when I launched Microsoft’s bug bounty program, the general acceptance for bug bounties has skyrocketed. Just this past year, bounty programs have eclipsed apparent demand for traditional penetration testing.
The overall thing is while it’s been good that people are embracing outside help from security researchers and hackers, what has been detrimental is the overuse of bug bounties as a cure-all for all of your security problems.
When I was part of a bug bounty company I very much disapproved of any messaging that said things like, ‘get a bug bounty program to prevent breaches.’ That’s just false. That’s not something that will prevent a breach, just like getting penetration testing doesn’t prevent a breach.
Say I’m developing a bug bounty program, what’s the very first step?
When you’re thinking about a bug bounty program, the very first step you should do, is ask yourself, why? What is the problem you’re actually trying to solve? So many of my customers, they come to me and say, ‘You’re the bug bounty Queen, we want to hire you to help us architect this bug bounty.’ And I say, why do you need a bug bounty right now?
They might say things like, ‘Well, you know, we don’t have anybody to handle incoming bugs.’ And I asked them all, how many incoming bugs are you getting on average per year? And they’ll say some ridiculously small number like five, or 10 or 12. And I’ll say, wait a minute, you’re feeling overwhelmed with 10 or 12 bugs, and you think starting a bug bounty will help with that? They’ll recite the marketing of the bug bounty companies where the bug bounty companies have been saying, we take all the hassle out of it, we do a managed program, and those words ‘managed program’ sounds really great to them. But what they don’t understand it, it doesn’t matter. You know, they basically just attracted a swarm of bees.
What’s the correct approach for bug bounty programs?
It’s a mixture of different approaches. Bug bounties can definitely be very helpful, especially if you’re being smart about targeting them. A bug bounty program can help bring out a particular area that you’re looking for – not just a bug. Maybe you’re looking for people who you can target to hire eventually. So bug bounties can be helpful in that way.
But that in house expertise, that’s really what people need to build in terms of long term sustainable security. You’re never going to be able to outsource your bug hunting completely. That’s the most inefficient way to find bugs, is after it’s already out there, after the website is up, or the software is released, or the product is released, and asking a bunch of internet people to help you secure it.
That’s definitely against what the security industry has been preaching for the last 20 years. And yet the bug bounty companies, and their marketing departments with millions of dollars of VC backing, have effectively made the case for bounty program. Simply put, bug bounty programs are sold as bigger solutions to the problem finding and patching vulnerabilities than they really are.
Do you think that bug bounty hunters and program creators are on the same page about what it means to have a successful program?
Definitely not, because the bug bounty hunters – even the best of them- are getting told a lot of the time that their submission is a duplicate.
And the way that happens is that more than one person obviously, finding the same flaw. But that happens more and more frequently, the less mature the software target is. So even the experienced bug hunters who should be able to make a really decent living doing this, they are still encountering issues, because of the fact that only the first person to report a particular bug gets paid. So they’re still doing the work and their expertise is still being utilized, but they’re not getting paid for it some of the time.
So it’s not just competition among fellow bug hunters. But there’s also the fact that the triage personnel at these bug bounty companies is actually not full time employees – most of them are contractors, and actually, many of them are also bug bounty hunter. It’s basically, you know, where you’ve got a little fox-in-the-hen-house thing going on,
I’ve certainly seen bug bounty hunters refused to submit bugs to certain certain platforms, because they know fellow bug bounty hunters who are competing with them are now able to see their bug submissions. And they’re feeding really good bug reports and proof of concepts… to their competitors in this market.
What are customers’ main questions and concerns when they come to you to ask about bug bounty programs?
It’s a lot of customers who are thinking about managing different pain points in the process. It’s always a legitimate reason why they need help. They might think that a bug bounty is the solution or is the help they need.
But actually, some people come to me because they have dysfunctional bug bounty programs and they need some kind of help rejuvenating in some way. It’s not worked well for them, or the quality of bugs are low. For some companies, a bounty program is effectively just more noise.
Even with the managed programs, where a company may no longer be getting anything of value, they’re paying the bug bounty company to continue to monitor. And so they’re paying, they’re outsourcing and they’re not actually getting in quality bug submissions. That’s when they come to me asking for help.
I think the real challenge for companies is, a lot of them realize that because they’ve already started a bug bounty, they can’t just shut it down. They have to figure out how to process the information so that it’s not just a one time payment to a hacker, fixing the bug, and that’s all the value you get out of the program and relationship. We’re trying to basically make it so that a bug bounty program is one key part of the overall secure development life cycle. They are tied together.