Vulnerabilities / Threats // Vulnerability Management
05:45 PM
Connect Directly

Online Tools For Bug Disclosure Abound

What's driving the bounty of software vulnerability disclosure offerings today from Bugcrowd, HackerOne, and Synack.

PayPal was one of the pioneers of internal bug bounty programs. But like other companies that have led the curve with in-house programs that pay researchers a fee for finding valid vulnerabilities in their software, the digital payment firm found that running such a program is no easy feat.

"It's very difficult to have enough resources internally to manage the program and match wits with researchers out in the world," says Gus Anagnos, who developed and ran PayPal's two-year-old internal bug program.

Fielding bug submissions as they come in and budgeting for the payments to researchers is challenging. "It's also very difficult to manage researchers and the expectations they have in payment and time to fix," says Anagnos, who left PayPal this year to become vice president of strategy and operations at Synack, a startup offering a vulnerability disclosure program and other security services.

"The reason I joined Synack is that I noticed, even though there's a tremendous amount of value in having bug bounty programs, it's still very difficult to run them internally," he says. "I left PayPal to come to Synack to take a great bug bounty model and create a new model more than the traditional bug bounty program, and to address items that in-house programs have a hard time" addressing.

Synack, like newcomers Bugcrowd and HackerOne, offers companies an online platform for coordinating vulnerability disclosure, a process that traditionally has been conducted via email correspondence. The company hires out a small group of hand-picked outside researchers who provide its vulnerability discovery service.

Anagnos says Synack technically is not a "middleman" nor a bug bounty service. "We provide a technology platform that automates the process" that vetted and trusted security professionals use to find vulnerabilities that only humans can find, he says.

Its outside research team spans 21 countries and consists of members whose day jobs are in academia, government, Google, Facebook, and PayPal.

The social media firm initially launched its own bug bounty program in-house, but it soon began to overwhelm the company's IT staff. "We started receiving bug bounty submissions, and our help desk spent the majority of time validating bugs, which in essence wasn't scalable," says Boris Sverdlik, who worked on the program. Sverdlik is now head of infrastructure security for the digital branding software firm TubeMogul.

"Some researchers were trying to get paid on every hit on our [] API," he recalls. So Tagged solicited Bugcrowd's online bug bounty services to get a grip on the disclosures it was fielding. "Bugcrowd maintains a 'do not test list'… We worked with them to go through the list and block what we don't want to see, and that increased the efficiency of my group. And we were able to offload the validation and auditing."

Vulnerability disclosure has gone through a major transformation over the past five years. For a long time, researchers got either a shout-out or shouted at for their discoveries -- if a vendor even responded at all. Many were threatened with legal action.

The game changer that made bug bounties more of a mainstream phenomenon came last year, when Microsoft, one of the biggest bug bounty holdouts among software vendors, finally threw its hat in the ring with a bugs for bucks program of its own. Katie Moussouris, then senior security strategist at Microsoft, spearheaded the move, joining Facebook, Google, Mozilla, and PayPal, which preceded Microsoft with programs of their own.

Moussouris left Microsoft in May of this year for HackerOne, a startup that spun off a bug bounty project initially funded in part by Microsoft and Facebook. She's now chief policy officer and works alongside former Facebook director of security Alex Rice, who is now CTO of HackerOne. The startup's free online platform automates the vulnerability disclosure process between the researchers who find the bugs and the affected software vendors and websites. HackerOne charges a 20% service charge when a bounty payment is transacted.

"I'm thrilled there is an industry now" for vulnerability disclosure, Moussouris says. "Where the bad guy would find a vulnerability before an organization fixed it, you can now tap into a worldwide pool of security researchers. It's been a very powerful thing."

Microsoft and other firms have data showing "a tapering off" of software flaws after the initial spike when the programs begin, she says. "We've seen this with a number of our customers" at HackerOne.

The biggest misconception is that a vulnerability disclosure program should automatically include a bounty program from the get-go. However, "starting with a bounty" as part of the program "is not the best idea for everyone," she says. "Starting a bounty from the onset may seem like a cool and trendy idea, but if you're not solid in what you're going to do with that process, you're going to have a bad experience."

Firms with a limited software portfolio find it's more straightforward to have the bounty rolled in right away, according to Moussouris, but that's not the case for firms with larger software sets.

For researchers, the new model of online community and for-hire vulnerability disclosure is much less painful -- and often much more lucrative than in the old days. It wasn't long ago that a security researcher could get sued for reporting a vulnerability to a vendor or online business. "It used to be really scary," says one of Bugcrowd's most prolific bug-finders, a researcher who hunts for bugs after his day job at a software firm and asked his name not be published. "Now we won't get sued."

Bugcrowd is a crowdsourced site that also helps organizations set up bug bounty programs online. It offers a free vulnerability disclosure platform called Crowdcontrol, where researchers submit their vulnerability finds to the affected site or software vendor, and those discoveries get vetted.

Casey Ellis, co-founder and CEO of Bugcrowd, says the firm charges a fee for any bug bounty payment transactions. "They can use the platform itself and the triage team we have in-house" for free.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
8/29/2014 | 10:27:32 AM
Re: Great step!
I think the pressure's on for companies to pony up with bug bounties. I keep flashing back to Dino Dai Zovi/Charlie Miller/Alexander Sotirov's "No More Free Bugs" banner and meme from a few years ago that started this shift. Overall, there are fewer significant vulns to find in major software, so some bugs are definitely more valuable and bounty-worthy than others. Not all companies are ready for this, obviously, but it's definitely a seismic shift with these free vuln disclosure program tools and online tools for bug bounty programs.
User Rank: Strategist
8/29/2014 | 10:19:20 AM
Re: Great step!
Great story, Kelly! I wonder, though, if the proliferation of bug bounties is eroding the notion of "responsible disclosure" and the revelation of vulnerabilities for the simple reason of protecting users. Do you (and others here) think that tomorrow's security researchers will no longer disclose their findings unless they are properly paid?
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
8/27/2014 | 3:33:39 PM
Re: Great step!
A big takeaway here is there are now (free) tools for organizations that want to set up a professional and organized process for fielding security vulnerability reports, as well as a potential avenue for setting up a bug bounty program (for a fee). As for researchers, it's a safe way to report & potentially sell their findings. 
Robert McDougal
Robert McDougal,
User Rank: Ninja
8/27/2014 | 3:13:16 PM
Great step!
This is great news to hear!  In the past, I can remember thinking to myself, should I tell Microsoft about this bug or just keep it to myself.  The fear of being sued was, and in some cases still, very real.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.