Next for Bug Bounties: More Open Source Funding

The need for bug bounty programs will only increase in the future, especially as a way to reward researchers for finding vulnerabilities in open source software and to make the common components used across applications more secure, Google's program manager said this week.

On Tuesday, the Internet giant marked a decade of its own bug bounty, the Vulnerability Rewards Program (VRP), by launching a new online platform for its research community. When the company kicked off its VRP a decade ago, researchers submitted 25 issues on the first day. Now the company has paid out more than $29 million for 11,055 vulnerabilities over the past decade.

Continually refreshing software won't mean the need for such programs will go away; in fact, they'll need to be applied to other software ecosystems, especially the open source software development community, says Jan Keller, technical program manager for Google's VRP.

"One of the big things that we are working on is to bring open source security into the scope of things," he says. "I certainly don't worry about there not being enough bugs out there for researchers."

Bug-bounty programs have gone from being perceived as risky endeavors to a common part of many software security programs. In 2005, when TippingPoint kicked off its third-party bug-bounty program, the Zero-Day Initiative, only a few other organizations — such as the Mozilla Foundation and VeriSign's iDefense — offered rewards for vulnerabilities. Yet support for programs grew steadily. Even Microsoft, which resisted paying for security vulnerabilities, launched a program in 2013.

Yet open source software continues to be a weak spot in the universe of bug bounties. While some programs exist — such as the Internet Bug Bounty — to pay a reward to those who report vulnerabilities in the critical software supporting the Internet, the coverage of critical software components is nowhere near complete.

In May, a group of researchers proposed that a catch-all vulnerability rewards program, the Bug Bounty Program of Last Resort, should be created for a more stable — and legal — market for vulnerability information that incentivizes reporting issues to vendors.

"Bug bounties have instead proven themselves an additional effective mechanism to improve vulnerability discovery, while also reducing the availability of zero-day vulnerabilities and exploits to malicious cyber actors, [b]ut they are not trivial to operate and have not yet been adopted widely or consistently," the researchers stated in the program proposal. "Startup vendors and open source projects especially are challenged to fund and manage such programs, yet their technologies underpin the digital transformation."

Google will focus on open source bug bounties in the next decade, Google's Keller says. Programs such as the Internet Bug Bounty need to be expanded, and additional programs to help developers detect and avoid malicious code commits should be created, he says.

Google already supports some open source projects and plans to expand its support. While vulnerability-discovery support should focus on the open source components that are used widely by Web applications and Web frameworks, popular consumer applications, such as the VLC video player, should also be supported, Keller says.

"This should not be only a Google thing or an Alphabet thing — we want this to be a joint venture between companies that are using open source heavily," he says. "There are a lot of us out there that run Linux, for example, so we need to be tackling that problem together."

Another trend for the next decade: the increasing use of artificial intelligence (AI) and machine learning (ML) to analyze code and find vulnerabilities. AI/ML has already started helping developers create more secure code and security researchers find more vulnerabilities. In early July, for example, GitHub released early data on its developer assistant, Copilot, which is designed to auto-complete functions as a developer types. The ML system, based on Open AI's Codex, can guess the intended function from the name, comments, and variable about 43% of the time.

Yet, for the next decade, 78% of hackers believe they will continue to hold the upper hand over machine-directed analysis, according to BugCrowd's "Inside the Mind of a Hacker 2020" report.

Still, as the number of ML tools introduced to quash bugs rapidly increases, most developers and application-security specialists will likely be using such tools.

The number of vulnerability researchers increased dramatically during the coronavirus pandemic. Submission to Google grew by about 50%, as more people had time to work on finding bugs in third-party software, Keller says.

Companies should make use of this potential, he argues.

"Nowadays, it should be obvious to all the major companies that bug bounties are a good investment," Keller says. "There are multiple compromises every week, and breaches are far more expensive than the cost of these programs."