Bug bounty programs are an increasingly popular way of discovering security bugs, with many organizations turning to this cost-effective model of crowdsourcing cybersecurity where they leverage the expertise of well-meaning hackers. The U.S. Department of Defense ran a pilot bug bounty program recently, and it was apparently a success. Is this part of the future of cybersecurity? Casey Ellis, founder and CEO of crowdsourced cybersecurity platform Bugcrowd thinks so.
Bugcrowd’s Casey Ellis Discusses the concept of crowdfunding cybersecurity, bug bounties and the future of Cybersecurity
What is Bugcrowd?
Bugcrowd is a combination of a community of hackers from around the world, Ellis told ITWatchIT. The Bugcrowd platform allows customers run contests where the hackers compete to find ways to break in, in exchange for cash and social recognition. The main focus is to identify vulnerabilities before the bad guys do, and make sure they get fixed. Additionally, we create a feedback loop between people who think like the adversary, even if they are actually friendly, so that organizations can get better at security, moving forward.
The core concept of the bug bounty program is that each hacker to find each unique vulnerability, within the scope of the program, reports it and gets rewarded for finding that vulnerability. The more severe the issue, the more they will get, and it’s been interesting to watch it grow. It started off in the tech space, but over the past few months, it has spread across the rest of the market.
We have customers like MasterCard, Western Union, Fiat Chrysler, and other more traditional institutions that are adopting this model as they see the fact that it is a better way to engage people.
How Bugcrowd Operates
Bugcrowd runs three programs – public, private and on-demand. The public programs are the ones where the open internet is invited to participate. It is great, because there are many companies adopting that model, and also want to do it. The upside is that this is what attracts researchers to the platform. They see these launches and the fact that there is an opportunity to hack companies such as MasterCard, or Tesla, and they want in.
They join the platform and start submitting their issues, and from there, we get some great insight into the types of skills they have, the impact they are capable of, how active they are, and how much we can trust them.
This is how we create a subset of the crowd called the Elite tier, which we deploy privately for certain customers. We’ve also seen people join through preexisting networks of like-minded people.
Financial Incentives, Social Proof – Huge Draws
For the hackers, there’s the financial aspect of it, the social recognition, and the opportunity to use their Bugcrowd profile as a resume. For them, their profile is proof of what they’ve achieved – and we’ve seen people get employed based on that merit.
The other aspect is that some people just enjoy hacking things. it gives such people the opportunity to work on new targets. For them, it’s what they do and they love it.
Some customers we’ve dealt with before will come back to us and say they understand how this works now and want to do their own thing. That is usually after they’ve been through the process once or twice.
Initially, our team will sit down with the customer for an onboarding process. They will figure out the customer’s target, their requirements that need to be communicated with the researchers, their level of maturity as an organization and so on. Then we’ll create a program brief, in collaboration with the customer, and that is what will go up on the website for the hackers to look at. It constitutes their invitation to participate.
Depending on the type of program – it may go up on the public side of the website or the private side. The private programs account for over 70 percent of what we do, and that will only be visible to folks who have been invited.
We actually don’t allow companies to jump straight into a public program because they might not be ready for things we may find. They need to know how to communicate with the security researchers, process the vulnerabilities, and fix things up in a controlled way.
Our mission as a company is to connect the global security community with the global market. You can think of us as a hacker dating site, in the sense of connecting the right researchers with the right clients, and also creating the right incentives for both sides to interact successfully.
Crowdfunding Cybersecurity – Not a New Concept
The first bug bounty program was Netscape, in 1995. There have been a few others, but it became popular in 2010-2011, when Facebook and Google started their programs. The actual concept has been around for longer than that.
Draw for Companies
Companies get more results, and better assessment of their risks. They have access to more people, with a wide variety of skill sets, and the creative energy is very high. Companies that have been running different types of traditional vulnerability assessments, including penetration testing and so on, bring us in, and within a day or two, we actually start bringing in results on high-impact issues. The bottom line is that the crowd is better, and people are starting to talk about how effective this is.The other side is that is relatively cheap, in the sense that you are paying for results.
Large Enterprises Can Afford to Run Their Own In-House Bug Bounty Programs?
You would think so, but when you look at the recent job openings, there are about 209,000 unfilled security positions, as quoted by the Bureau of Labor Statistics. If a company wants to test their products through crowdsourcing, the last thing they want to do is to take three or four people off the tasks that they are dong in-house at the time to deal with the researchers. Bugcrowd provides a managed service on top of crowdsourced cybersecurity, to essentially run the program on behalf of the customer.
Some large tech companies are known for having started their own bug bounty programs, almost pioneering the idea. Now, they are customers, because they have realized that it is a better idea to outsource those operations.
Some Say Bug bounties are the ‘Snake Oil of Cybersecurity’
Nothing is a silver bullet, and I think anyone who says a bug bounty is a panacea for all security issues is engaging in a snake oil pitch. In terms of this particular area of vulnerabilities – helping companies catch mistakes before they are exploited, and helping them avoid it in the future – there are few tools as effective as this. If that is being sold as the only thing you need to do, then I would be suspicious.
When you look at what we are doing currently, we have added automation to the process of discovery, which is good. On the hand, automation leaves a gap when you are talking about trying to find mistakes in what people have built. We often bridge that gap by finding people we pay $2000 a day to do penetration tests, but the reality of that is we are only accessing one set of skill set, which is further constrained by the number of hours paid for.
When you have lots of different skill sets and different creative approaches, then you begin to see the benefits of crowdsourcing.
How do you Guarantee Confidentiality From Hackers?
The risk of that happening has increased with public programs, because at that point, you don’t really vet those who apply to participate, or control who’s aware of the program’s existence. One of the things the vetting process helps establish is that element of trust – you find out who is likely to stick to the rules. We’ve never seen that happen in our programs, but it’s one of those situations where we’re always keeping our eyes on things like that.
For instance, there are different research behaviors that look like they are heading in the wrong direction, and we’ll jump in and set things straight. For the private programs, the researchers have to sign a non-disclosure agreement as a condition for invitation. You’re not allowed to talk about the program or what you find, although you can talk about the fact that you were rewarded for something.
How do you Enforce It
You first have to make a character judgment and take it from there. There is some enforcement behind it, but we’ve never had to use it. We’re always looking around, making sure there are no infractions.
Bug Bounty Not Continuous Monitoring
The public bug bounties have continuous monitoring aspects, project-based bounties have set targets and we wrap it up after achieving set goals, while private is somewhat in between the other two. What we have seen with customers is that after the program, somewhere down the line, someone will push a bad code change, and it will get caught within a day, because people are still looking.
Bug Bounties Here to Stay
The industry doesn’t really have a choice with regards to accepting bug bounties. That is driven by the fact that we are outnumbered and even outresourced by the people doing the attacking. There are not enough good guys to go around, the model we are engaging them under is broken, and we’re vulnerable because vulnerability is a product of building things. If the industry and the government don’t start to become more flexible in how they resolve these types of issues—they are going to get left behind.
Speaker: Casey Ellis
As CEO and founder of Bugcrowd, Casey Ellis brings over 14 years of information security experience to lead the company’s technology vision and strategic operation. Prior to Bugcrowd, he served as chief security officer at ScriptRock and as an information security specialist and account manager for Vectra Corporation Ltd. A former penetration tester, Casey has taken on the role of “white hat” to connect organizations large and small with the power of Bugcrowd’s platform for a revolutionary approach to cybersecurity. Casey has presented at several top security shows including Black Hat, DefCon, RSA, DerbyCon, BSides, Converge, SOURCE Conference and the AISA National Summit.
Crowdsourced cybersecurity. Bugcrowd is the premier marketplace for security testing on web, mobile, source code and client-side applications. By incentivizing security testers to report vulnerabilities in your app, our crowdsourced community of testers bring extensive testing coverage. Bug bounties are utilized by Facebook, Mozilla, and Google, but require resources not available to every company. They solve this problem by managing the entire bug bounty program for you. From setup to validations to distributing rewards, they provide a comprehensive solution so your team can focus solely on solving security issues.