Vulnerabilities / Threats
12/29/2016
08:00 AM
Jason Haddix
Jason Haddix
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Bug Bounty Model: 21 Years & Counting

A look back on the beginnings of crowdsourced vulnerability assessment and how its robust history is paving the way for the future.

When Netscape launched the first bug bounty program 21 years ago, it redefined the way companies approach system vulnerabilities. Today, there is widespread adoption of crowdsourced security programs across mainstream companies with more than 600 publicly disclosed programs and counting.

I’ve worked on a number of these bug bounty programs over the years, and served as director of penetration testing for HP Fortify. The changes have happened so fast, it’s easy to lose sight of how far we’ve come since the very first program was introduced in 1995. As we approach the new year, let’s take a look at the robust history that set the foundation for the modern bug bounty program.

The First Bug Bounty
Netscape Technical Support Engineer Jarrett Ridlonghafer designed and launched the first bug bounty program to discover vulnerabilities in Netscape’s beta version Navigator 2.0 Internet Browser. The company offered cash rewards to hackers who found bugs in the software.

Although this was a major advancement for the security industry, the model wouldn’t catch on for another seven years. By 2002, IDefense launched its own bug bounty program and in 2004, Mozilla created a program that is still running today. These early programs paved the way for the modern bug bounty and for the emergence of managed programs and bug bounties as a service.

Breaking the Mold
In 2010 and 2011, Google and Facebook took notice of crowdsourced security, adding them to their business models, which increased their popularity and incentivized more researchers to join the bug bounty community. In March 2011, Facebook paid a 22-year-old security researcher $15,000 for a bug discovered. By 2015, Facebook had paid more than $4.3 million to researchers globally.

Bug bounty programs were beginning to increase in popularity, yet many organizations still perceived them to be too risky. This perception was tied to the belief that a bug bounty gives hackers free reign of critical code. But the reality is much more controlled than that, because, whether you invite hackers in or not, as long as applications are connected to the Web, they’re vulnerable. Tapping into the intelligence of thousands of security researchers helps identify these vulnerabilities before the bad guys do and lowers the risk of being vulnerable.

Bug Bounties as a Service
In recent years, the growing need for bug bounty programs and the challenges and costs associated with managing them internally drove the creation of third-party platforms or bug bounties as a service. This opened new pathways for a growing hacker community and furthered adoption by other market sectors such as healthcare, financial services, automotive, and the Internet of Things.

For companies, third-party platforms offer the opportunity to create personalized programs by connecting organizations with trusted partners and a community of diverse security researchers. For researchers, the third-party platform verifies their results, handles arbitration issues with the company, and makes it easier for individuals to get paid and move onto testing for more bugs. Third-party platforms also drive the creation of a thriving community where researchers connect, educate, and inspire one another in an environment that allows people with a variety of backgrounds to share their knowledge and expertise.  

The Future
Crowdsourced vulnerability assessment has evolved to include more than just public programs. As I mentioned earlier, a common misconception about the bug bounty model is that all programs are public. In reality, the majority of all programs launched are invite-only. Private, ongoing, and on-demand programs are incredibly common and give companies a way to facilitate testing on harder-to-access applications, or focus testing on a small subset of an attack surface to meet organizational testing needs.

Private programs allow organizations of all sizes (like Western UnionOkta, and Aruba Networks) to validate the security work they’re doing internally, and leverage a curated crowd of talent to scale up their team and improve response time before going public.                  

Crowdsourced security programs have taken on many different forms and will continue to play a major role in securing applications, especially as companies face increased pressure to release updates and keep their customers’ data secure. From the increase of vulnerabilities in healthcare devices, IoT and the automotive industry, these programs can bring advancements to industries across the board. With the willingness and constant interest from intelligent engineers, bug bounty programs will continue to thrive.

Related content:

Jason is the head of trust and security at Bugcrowd. Jason works with clients and security researchers to create high value, sustainable, and impactful bug bounty programs. He also works with Bugcrowd to improve the security industry's relations with researchers. Jason's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
12/31/2016 | 12:54:14 PM
bounty misconceptions
In addition to public vs. private-only, another potential "misconception" (if that is the right word in this case) that abounds among many researchers/hackers is that you get a payday just for discovering (1) *any* security bug and (2) anything that *looks* like a security bug.  Additionally, they operate under the misconception that (3) they will necessarily be believed.

I still remember the 2013 case of Khalil Shreateh, who -- after several repeated reporting attempts to Facebook on a serious bug -- wound up having to hack Mark Zuckerberg's Facebook account and post to his wall to prove the bug he had found.  Facebook then continued to deny Shreateh the bounty because he had technically violated Facebook's TOS in hacking Zuckerberg's account -- despite admitting that the company was too "hasty and dismissive" in not rewarding him earlier.

(In the end, Shreateh got an $11k payout from an IndieGogo fundraising campaign in lieu of a Facebook-awarded bounty.)
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.