Vulnerabilities / Threats
07:30 AM
Marisa Fagan
Marisa Fagan
Connect Directly

Why Bug Bounties Are The New Normal

Bug bounties today are big business. Find out how crowdsourcing is changing the dynamics of independent security research and vulnerability disclosure.

What was once an infrequent arrangement practiced by well-intentioned white hat security researchers has become a market with norms that are being defined and enforced on a daily basis. In fact, vulnerability disclosure has become a lucrative career for determined independent researchers. The practice of "good faith effort" has gone from being the responsibility of the researcher to the obligation of the company.

Today, there is an expectation in the market for companies to be receptive to independent security research, and companies that react negatively are being portrayed as shortsighted and ineffective. In this newly evolving security research market, there are two drivers changing the old model.

The first is that researchers are expecting to be rewarded for their findings more frequently. Companies like Microsoft and Github are legitimizing the policies of Google and Facebook to pay for security vulnerabilities in a bug bounty program. (Facebook especially has seen a substantial increase in the rate of submissions.) Bringing this reward structure to the mainstream changes the expectation of security researchers in general.

The second driving change is a flood of inexperienced researchers joining the market to take advantage of the new economy. While, on the surface, this might seem like a negative change, experience shows us that this increase in numbers allows companies to tap into the powerful benefits of crowdsourcing. For relatively low costs, crowdsourced security testing produces better code coverage and realistic attack vectors.

These changes have created a new model in the disclosure market: "transactional disclosure." A transaction is a business arrangement where each side is equitably compensated in a simple, repeatable process. In the bug bounty market, a transaction is a monetary reward paid for submitting a security bug, and there are thousands of these transactions every year averaging small payouts of less than a few hundred dollars each.

More eyeballs & a new vocabulary
For experienced researchers disclosing serious, high-impact bugs, the process is well understood, but labor intensive. The expectation is that the effort to be rewarded will align with the reward. It usually involves a time-consuming process of revealing banking and tax information, along with other pieces of identity. In exchange for this effort, the reward is usually a large amount of money. With the coming generation of career bug bounty researchers making their money through higher volumes of lower-impact bugs worth less money, the effort on both sides is only worthwhile if the process for disclosure can be streamlined and efficient. 

Researchers expect communication and validation in a timely manner, and, as a result, a shorthand vocabulary has evolved: A submission is either a "valid bug" or an invalid submission. A “duplicate” is a valid bug that is either already known about from a previous submission, or it’s part of the original list of known bugs set in the terms of the policy. A bug can be valid, and still not be rewarded because it does not carry a high enough impact for the company to justify fixing it. These are examples of the sorts of predictable activities that are creating the basis for the CERT Division of the Software Engineering Institute's Vulnerability Disclosure Policy.

This army of eyeballs is changing the dynamic between the security team and the developers when they are handing off lists of vulnerabilities basically found in the wild. The crowd, with its volume, feels more like the public eye. With that comes the expectation that companies can commodify their responses in the same way researchers are commodifying their high volume of lower-impact bugs. It demonstrates that a vulnerability disclosure no longer lives in a vacuum, and when a researcher chooses to disclose, he or she brings to the table expectations shaped by every previous experience disclosing bugs to other companies.

The biggest sign that the model for vulnerability disclosure has changed is the emergence of new crowd-sourced security companies like Bugcrowd, where I work as a community manager for a crowd of over 8,000 security researchers. These third parties are streamlining the disclosure and payment process to the level of easy transactions. Researchers are able to use the same payment information across dozens of sites when testing for bugs, and are able to justify the effort more effectively. Plus, there is an added bonus of a layer of abstraction and anonymity between the researcher and the target company.

Bug bounties are becoming big business, and these crowdsourcing services are iterating the transactional model to make it as easy as possible to get as many bugs as possible out of the wild. Companies need to be aware that there is a new community of security researchers with evolving expectations about vulnerability disclosure. Those companies that do not stay in front of this trend may end up, not only with a breach on their hands, but with a lack of public sympathy as well. 

Marisa Fagan is the Community Manager for the crowd of more than 7,000 security researchers at Bugcrowd. She brings seven years of experience working with the information security research community to bridge the gap between companies and independent research. She's worked ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/29/2014 | 9:03:13 AM
Re: About time!

How widely recognizd and adopted -- amoung bounty hunters -- is the CERT Software Engineering Institute's Vulnerability Disclosure Policy?
Robert McDougal
Robert McDougal,
User Rank: Ninja
4/28/2014 | 7:10:46 PM
Re: About time!
In my professional opinion it appears that many of the large players in the market have adopted the pay for bug mentatility, Yahoo included.  I believe it was shortly after the Yahoo incident when the Microsoft and Facebook backed HackerOne site was launched to create a central location for bug bounties.  

Obviously there are still hold outs to the new norm but I would say they are now a minority.  Moving forward any large companies that refuse to pay for bugs may find themselves on wrong side of a vulnerability.
User Rank: Apprentice
4/28/2014 | 5:36:22 PM
Re: About time!
yes!! Yahoo pays me on HackerOne have received $15000 to date. can't use bugcrowd for bounties there. very happy of hackerone team for bounties and hackers :)
User Rank: Author
4/28/2014 | 4:07:07 PM
Re: About time!
Robert, Yahoo is a fantastic example of this growing trend towards paying external researchers. 6 months after the Yahoo "Tshirt-gate" media coverage, their security team is now paying out a minimum $250 bounty for bugs that demonstrate a security impact. 
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/28/2014 | 3:17:49 PM
Re: About time!
Robert, do you think the security industry recognize and understands the new role bug bounties play in vulnerability management? Or are most of them still in a T-shirt mentality?
Robert McDougal
Robert McDougal,
User Rank: Ninja
4/28/2014 | 2:37:20 PM
About time!
As this article points out, bug bounty programs are not a nicety but rather they are necessary.  For example, just last year a security firm reported four separate XSS vulnerabilities to Yahoo and their reward, a tee-shirt.  The moral of the story, if the security researcher is not properly compensated for their work then they may sell the information to someone who is more generous. 

Link to Yahoo story
More Blogs from Commentary
Weak Password Advice From Microsoft
Tempting as it may seem to do away with strong passwords for low-risk websites, password reuse is still a significant threat to both users and business.
Internet of Things: 4 Security Tips From The Military
The military has been connecting mobile command posts, unmanned vehicles, and wearable computers for decades. Itís time to take a page from their battle plan.
Passwords Be Gone! Removing 4 Barriers To Strong Authentication
As biometric factors become more prevalent on mobile devices, FIDO Alliance standards will gain traction as an industry-wide authentication solution.
RAM Scraper Malware: Why PCI DSS Can't Fix Retail
There is a gaping hole in the pre-eminent industry security standard aimed at protecting customers, credit card and personal data
Dark Reading Radio: The Winners & Losers of Botnet Takedowns
Our guests are Cheri McGuire, VP of global government affairs and cyber security policy for Symantec, and Craig D. Spiezle, executive director and founder of the Online Trust Alliance.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-28 in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The issue is covered by CVE-...

Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

Published: 2014-07-28
The module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) or (2) when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions...

Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.