Vulnerabilities / Threats
4/28/2014
07:30 AM
Marisa Fagan
Marisa Fagan
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Why Bug Bounties Are The New Normal

Bug bounties today are big business. Find out how crowdsourcing is changing the dynamics of independent security research and vulnerability disclosure.

What was once an infrequent arrangement practiced by well-intentioned white hat security researchers has become a market with norms that are being defined and enforced on a daily basis. In fact, vulnerability disclosure has become a lucrative career for determined independent researchers. The practice of "good faith effort" has gone from being the responsibility of the researcher to the obligation of the company.

Today, there is an expectation in the market for companies to be receptive to independent security research, and companies that react negatively are being portrayed as shortsighted and ineffective. In this newly evolving security research market, there are two drivers changing the old model.

The first is that researchers are expecting to be rewarded for their findings more frequently. Companies like Microsoft and Github are legitimizing the policies of Google and Facebook to pay for security vulnerabilities in a bug bounty program. (Facebook especially has seen a substantial increase in the rate of submissions.) Bringing this reward structure to the mainstream changes the expectation of security researchers in general.

The second driving change is a flood of inexperienced researchers joining the market to take advantage of the new economy. While, on the surface, this might seem like a negative change, experience shows us that this increase in numbers allows companies to tap into the powerful benefits of crowdsourcing. For relatively low costs, crowdsourced security testing produces better code coverage and realistic attack vectors.

These changes have created a new model in the disclosure market: "transactional disclosure." A transaction is a business arrangement where each side is equitably compensated in a simple, repeatable process. In the bug bounty market, a transaction is a monetary reward paid for submitting a security bug, and there are thousands of these transactions every year averaging small payouts of less than a few hundred dollars each.

More eyeballs & a new vocabulary
For experienced researchers disclosing serious, high-impact bugs, the process is well understood, but labor intensive. The expectation is that the effort to be rewarded will align with the reward. It usually involves a time-consuming process of revealing banking and tax information, along with other pieces of identity. In exchange for this effort, the reward is usually a large amount of money. With the coming generation of career bug bounty researchers making their money through higher volumes of lower-impact bugs worth less money, the effort on both sides is only worthwhile if the process for disclosure can be streamlined and efficient. 

Researchers expect communication and validation in a timely manner, and, as a result, a shorthand vocabulary has evolved: A submission is either a "valid bug" or an invalid submission. A “duplicate” is a valid bug that is either already known about from a previous submission, or it’s part of the original list of known bugs set in the terms of the policy. A bug can be valid, and still not be rewarded because it does not carry a high enough impact for the company to justify fixing it. These are examples of the sorts of predictable activities that are creating the basis for the CERT Division of the Software Engineering Institute's Vulnerability Disclosure Policy.

This army of eyeballs is changing the dynamic between the security team and the developers when they are handing off lists of vulnerabilities basically found in the wild. The crowd, with its volume, feels more like the public eye. With that comes the expectation that companies can commodify their responses in the same way researchers are commodifying their high volume of lower-impact bugs. It demonstrates that a vulnerability disclosure no longer lives in a vacuum, and when a researcher chooses to disclose, he or she brings to the table expectations shaped by every previous experience disclosing bugs to other companies.

The biggest sign that the model for vulnerability disclosure has changed is the emergence of new crowd-sourced security companies like Bugcrowd, where I work as a community manager for a crowd of over 8,000 security researchers. These third parties are streamlining the disclosure and payment process to the level of easy transactions. Researchers are able to use the same payment information across dozens of sites when testing for bugs, and are able to justify the effort more effectively. Plus, there is an added bonus of a layer of abstraction and anonymity between the researcher and the target company.

Bug bounties are becoming big business, and these crowdsourcing services are iterating the transactional model to make it as easy as possible to get as many bugs as possible out of the wild. Companies need to be aware that there is a new community of security researchers with evolving expectations about vulnerability disclosure. Those companies that do not stay in front of this trend may end up, not only with a breach on their hands, but with a lack of public sympathy as well. 

Marisa Fagan is the Community Manager for the crowd of more than 7,000 security researchers at Bugcrowd. She brings seven years of experience working with the information security research community to bridge the gap between companies and independent research. She's worked ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/29/2014 | 9:03:13 AM
Re: About time!
Marisa, 

How widely recognizd and adopted -- amoung bounty hunters -- is the CERT Software Engineering Institute's Vulnerability Disclosure Policy?
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
4/28/2014 | 7:10:46 PM
Re: About time!
In my professional opinion it appears that many of the large players in the market have adopted the pay for bug mentatility, Yahoo included.  I believe it was shortly after the Yahoo incident when the Microsoft and Facebook backed HackerOne site was launched to create a central location for bug bounties.  

Obviously there are still hold outs to the new norm but I would say they are now a minority.  Moving forward any large companies that refuse to pay for bugs may find themselves on wrong side of a vulnerability.
dumbledin
100%
0%
dumbledin,
User Rank: Apprentice
4/28/2014 | 5:36:22 PM
Re: About time!
yes!! Yahoo pays me on HackerOne have received $15000 to date. can't use bugcrowd for bounties there. very happy of hackerone team for bounties and hackers :)
MarisaFagan
100%
0%
MarisaFagan,
User Rank: Author
4/28/2014 | 4:07:07 PM
Re: About time!
Robert, Yahoo is a fantastic example of this growing trend towards paying external researchers. 6 months after the Yahoo "Tshirt-gate" media coverage, their security team is now paying out a minimum $250 bounty for bugs that demonstrate a security impact. 
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/28/2014 | 3:17:49 PM
Re: About time!
Robert, do you think the security industry recognize and understands the new role bug bounties play in vulnerability management? Or are most of them still in a T-shirt mentality?
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
4/28/2014 | 2:37:20 PM
About time!
As this article points out, bug bounty programs are not a nicety but rather they are necessary.  For example, just last year a security firm reported four separate XSS vulnerabilities to Yahoo and their reward, a tee-shirt.  The moral of the story, if the security researcher is not properly compensated for their work then they may sell the information to someone who is more generous. 

Link to Yahoo story
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

CVE-2014-3372
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM reports interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90589.

CVE-2014-3373
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM Dialed Number Analyzer interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCup92550.

CVE-2014-3374
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM admin interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90582.

CVE-2014-3375
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM Service interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90597.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.