The bug bounty landscape continues to change along with the concept and rules around vulnerability disclosure. Meanwhile, companies such as GitHub, Microsoft and others continue to keep pace, launching or expanding bounty programs. Even the European Commission is getting in on the action. On January 14, it launched its own bug bounty program for free open source projects that EU institutions rely on.
Making matters worse is a new breed of cybercriminals that target an evolving IoT device landscape. Threatpost editor Lindsey O’Donnell discusses the challenges and opportunities behind bug bounty programs with HackerOne CEO Marten Mickos, as well as the evolving landscape.
Threatpost: Hi everyone. This is Lindsey O’Donnell with Threatpost. And I’m here today with Marten Mickos, the CEO of HackerOne. Martin, thanks for joining us today.
Marten Mickos: Thanks for inviting me.
TP: How are you?
Mickos: Pretty good. I love it here in Boston.
TP: Yeah, we’re getting a little bit of cold weather. But it could be worse. So why don’t you introduce yourself and HackerOne, for those who might not know about the company.
Mickos: I’m Marten Mickos, CEO of HackerOne. HackerOne is the company that organizes bug bounty programs and what’s called vulnerability disclosure programs. So in essence, we are the world’s largest provider of hacker-powered security, meaning security services provided by freelance, security researchers, and experts that we just call hackers because we believe in the power of hackers, and we think hackers are good.
TP: So I feel like bug bounty programs have really been gaining traction over the past few years, especially with the concept of vulnerability disclosure really evolving. What have you been seeing, from your perspective, throughout 2018? And what are some of the big trends that we should be keeping an eye on in 2019.
Mickos: Bug bounty programs started in the tech sector and primarily in the San Francisco Bay Area. Now it’s spreading all over the world, and we see very strong interest from the government side. So the government is eager to run bug bounty programs to recommend them to everybody, even to mandate them to some. Like in the “Hack The DHS” act that passed in December 2018, they mandated DHS to run a bug bounty program. So we’re seeing how society now accepts that the best way to find what’s wrong with your system is to ask the world around you.
TP: What about the demographics that you’re seeing with some of the bounty hunters? Is there any popular type of age range? What are you seeing there.
Mickos: We have over 300,000 hackers signed up on the platform. So we have every type of person in that community. But if you look at the large groups, we have noted that nearly half of them are 25 or younger. So it’s a very young generation, the youngest are 14 years old. It takes them a year or two to get the hang of it, and start producing good vulnerability reports. So there’s a lot of that. When you look at what they do for a living or what their day job is, if they’re young, they are students in school or college. Many of them have a security job at daytime and this is an evening or a weekend hobby. And then we have some full time bug hunters who do nothing but hunt bugs.
TP: And then looking at a company that may want to start up a bug bounty program, what are your suggestions for kind of the first steps there? I mean, what’s the very first step that such a company could take?
Mickos: When a company wants to run a business bounty program, the first thing they need to make sure is that they have the capacity to fix the bugs once we find them, because we always find them. So if you’re coming to us, we say, how will you make sure your engineering group will prioritize and fix the bugs once we start finding them. And with that in shape, we can launch a program very quickly. What you do is you pick the the attack surface, the scope that you start with, then we recommend that companies start with a small scope and a limited program. And maybe even just by inviting a few known hackers to start with to get it going. Later, we can expand scope, we can expand the bounty table, we can invite more people and open up the program to everybody. But we usually recommend that they start small, start with baby steps and get going.
TP: I’m curious, because IoT is something that’s near and dear to my heart, at least – what are you seeing with Internet of Things and the kind of interest around setting up programs with IoT devices? Do you think that’s something that’s really gaining traction? And would you say that IoT is different in the bug bounty landscape than some of the other products and systems?
Mickos: Very good question. IoT certainly is different when it comes to bug bounty programs. And we see them come and go, and we have a good number of them on HackerOne, but it hasn’t taken fully off yet. And one reason is that if you run a bug bounty program for an IoT product, you need to get the product in the hands of the hackers and we have shipped out a lot of different devices to hackers all over the world. So we know how to do it, but it hasn’t really taken on yet. That’s one thing. The other thing for an IoT vendor is that once they find a vulnerability and fix it, they have to roll out the fix as well. So they need to have a product that can be activated from afar or updated from afar and and that’s another hurdle for them to overcome before they can be fully successful with the bug bounty program.
TP: Should be interesting to see where that goes in the coming years.
Mickos: Absolutely and of course, this is an area where the government is very active, because IoT devices typically are used by consumers. So it’s a question of protection of the integrity of consumers and the privacy of consumer so it becomes a legal responsibility at some point.
TP: That’s really interesting. So, something that came up in the news recently, was the EU announcing that they would fund programs for finding bugs in, was it 14 open source projects? Just an array of open source projects. Can you talk a little bit about that and kind of the hope there.
Mickos: We have done a number of programs for the European Commission for a while already. And this is a new initiative they call EU FOSSA, where they’ve selected open source projects that may not have the funding themselves to run a bug bounty program, and EU is funding the program on behalf of them. So it’s a very good way of going to the heart of the problem, which is open source libraries and products that are used all over the place, but there isn’t necessarily an organization or funding to fix the security vulnerabilities. But now there is.
TP: Right. What kind of challenges are you seeing right now in the bug bounty landscape? I know a couple of people in the infosec space have mentioned concerns about companies relying solely on bug bounty programs. Do you see that as a challenge? Do you see any other challenges that the landscape needs to overcome at this point?
Mickos: The only challenge is the hunt for the bug and the difficulty in finding them, and we always find them. Everything else is manageable and can be handled, there are always detractors who will say that this or that is not working. It’s not true. We are seeing it very clearly in the statistics of our programs, that the rate at which it is growing, the rate at which feed people are fixing the bugs, we are making huge progress progress all the time, hackers are making good money on this. Products are getting more secure, architectures are getting fixed, this is the only way we can fix our digital society. And we will stumble a little bit on the way there. But those are small, small problems in the grand scheme of things because we are fixing the world.
TP: What are you most excited for in 2019 about the bug bounty landscape – any specific programs to look out for anything else?
Mickos: I always get so excited by the hackers themselves, like the fact that we can have somebody as young as 14 on the platform, filing a report, fixing software that a much older software developer developed. And it gives me this conviction and belief and evidence that the future generation, they know how to fix what’s broken, and they will make sure we have a good future. I think it’s endless optimism and sort of positive vibes in that.
TP: Speaking of that, I’m sure you saw the news of the Apple FaceTime bug that was discovered earlier this week, or I guess it was discovered weeks ago, essentially by a teenager. So I mean, it’s just another example of someone who is of the next generation who is really coming out and finding these bugs.
Mickos: But there’s sort of a bigger question: We must trust the young, we must give the young responsibility, we must give them recognition when they do something useful, and then they will do more useful stuff.
TP: Great point. Alright, well, thank you so much, Martin.