Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/20/2021
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Beware the Bug Bounty

In recent months, bug-bounty programs have shifted from mitigating risk to inadvertently creating new liabilities for customers and vendors.

Bug-bounty programs have accelerated in the past few years. Many organizations — bewitched by bounty programs' promise of faster vulnerability identification, improved product security, and cost-effective outsourcing solutions — find themselves facing unanticipated vulnerabilities and unexpected threats. What at first appeared as a reliable quick fix to a big problem has instead become a new liability.

With validation requirements growing in complexity and compliance framework audit fatigue on the rise, no one can afford to jump into a bug-bounty program without careful and strategic consideration. Unfortunately, hidden risks abound. Bug-bounty programs:

  • Are not accredited third-party attestations, nor do they satisfy regulatory compliance requirements.
  • May quickly identify vulnerabilities but fall short in providing in-depth testing and fail to cover the entire attack surface.
  • Provide ethical hackers access to source code, which opens the door for adversaries to find vulnerabilities and freely exploit them for nefarious purposes.

Related Content:

Bug Bounty Hunters' Pro Tips on Chasing Vulns & Money

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

One of the most overlooked challenges is that bug-bounty program costs can easily spin out of control. This can happen due to the potentially unlimited number of identified vulnerabilities (paying the bounty), vulnerabilities used for nefarious purposes (compromise of regulated data), remediation of harmless vulnerabilities (wasted development time), and legal judgments (negligence in speed to remediate). 

Avoiding Pitfalls
The bug bounty is often seen by executive leadership as a silver bullet that efficiently exposes vulnerabilities using an outsourced, pay-as-you-go model. As a result, many programs overemphasize a bounty's value within a comprehensive security strategy. It's too easy for bottom-line decision-makers to approve these programs without informed caution and diligence. There are just too many what-ifs.

Perhaps the most fundamental problem is human nature, which raises several questions. What if one of your ethical hackers isn't so ethical? What if a negligent bounty hunter simply fails to report a bug? What if that's the one bug that the company can't afford to leave undetected and finds out later the hard way? What if a company relies too heavily on bug bounty programs as a form of testing but neglects to attest in accordance with PCI, FedRAMP, or other regulatory compliance frameworks?

In a recent forensic review, we came across a situation where a bounty hunter failed to disclose a vulnerability that was easily hacked two months later. This resulted in a huge compromise of high-value client data that was stolen and sold, right under the nose of the program that was supposed to prevent this.

Fortune 500 companies in particular are noticing an increase in attacks on the applications they've tried to protect with bug bounties. Attack vectors in high-production environments are expanding in concert with higher payouts for bounties and more visible targets of opportunity. When the quantity goes up, so does the potential for white-hat cheating, and triggering unauthorized access to internal and external bad actors lurking on the sidelines.

The vast majority of good-guy hackers are on our side. However, the typical bug-bounty provides incentive to monetize single vulnerabilities for quick payout. This mercenary practice in theory is productive, but it can't be allowed to outweigh the need for proper vetting or the assurance that the program covers the full attack-surface spectrum.

With so many breaches, the exposure to legal liabilities is tremendous. There is too much established case law now that holds companies accountable. More and more, failed bug-bounty programs come up in the legal discovery process and are used to prove negligence. 

Making It Work
Despite the pitfalls, we see these programs every day and know that bug bounties can still work and can play an important role in enterprise risk management.

First, we recommend delegating bug-bounty oversight to external legal teams. We're not just looking for bugs but in protecting the organization's exposure to legal and regulatory liabilities, as we see legal exposure for not remediating program identified vulnerabilities in a timely fashion. Courts will be looking to see that the organization took reasonable measures in remediating identified vulnerabilities in a timely manner and holding the organization accountable. There's no ability to hold a bounty hunter accountable or responsible for missing or failing to report a bug. 

Most importantly, by their very nature and as an offensive strategy, bug-bounty programs are limited in what they can detect, and it's a given that other cyber issues will be overlooked. We routinely come across Severity 1 vulnerabilities at companies that have been relying on bug bounty programs to assure their security. Sometimes the programs lose focus, sometimes the prospective return on investment is no longer seen as beneficial, and sometimes they just stop. Perhaps the budget breaks with too many payouts, and the doors open for exploitation.

Bounties Augment Security
Management should buy in to bug-bounty programs as augmentation to a comprehensive security strategy. It's the fine-tuning between aggressive bug hunting and a dynamic, scalable security program that keeps everything in holistic balance.

Start with a layer of legal protection. Engage your internal counsel to review the program and determine if best course is to work with external counsel so that your organization is protected with legal privilege. Then, make sure your bug-bounty program and vulnerability remediation processes are in lockstep. There are available solution integrations that can aid in achieving this goal. The common denominator is coordination of stakeholders, business leaders, and delivery resources, and establishing effective planning and communication.

Bug bounties have their place. With all eyes on improving CI/CD pipelines, DevSecOps, and software development life cycles in multicloud environments, we need to streamline our bug-hunting efforts within today's more sophisticated security programs.

 

Joseph Neumann, Cyber Executive Advisor, CoalfireJoseph is a Cyber Executive Advisor for the Threat Vulnerability and Management practice at Coalfire. Joe's primary focuses as a Director were focused one FedRAMP compliance based testing and standardizations around penetration ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21742
PUBLISHED: 2021-09-25
There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific pages.
CVE-2020-20508
PUBLISHED: 2021-09-24
Shopkit v2.7 contains a reflective cross-site scripting (XSS) vulnerability in the /account/register component, which allows attackers to hijack user credentials via a crafted payload in the E-Mail text field.
CVE-2020-20514
PUBLISHED: 2021-09-24
A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/<id>.html allows authenticated attackers to delete all users.
CVE-2016-6555
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in ver...
CVE-2016-6556
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. By creating a malicious SNMP 'sysName' or 'sysContact' response, an attacker can store an XSS payload which will trigger when a user of the web UI views the data. This iss...