Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/28/2014
07:30 AM
Marisa Fagan
Marisa Fagan
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Why Bug Bounties Are The New Normal

Bug bounties today are big business. Find out how crowdsourcing is changing the dynamics of independent security research and vulnerability disclosure.

What was once an infrequent arrangement practiced by well-intentioned white hat security researchers has become a market with norms that are being defined and enforced on a daily basis. In fact, vulnerability disclosure has become a lucrative career for determined independent researchers. The practice of "good faith effort" has gone from being the responsibility of the researcher to the obligation of the company.

Today, there is an expectation in the market for companies to be receptive to independent security research, and companies that react negatively are being portrayed as shortsighted and ineffective. In this newly evolving security research market, there are two drivers changing the old model.

The first is that researchers are expecting to be rewarded for their findings more frequently. Companies like Microsoft and Github are legitimizing the policies of Google and Facebook to pay for security vulnerabilities in a bug bounty program. (Facebook especially has seen a substantial increase in the rate of submissions.) Bringing this reward structure to the mainstream changes the expectation of security researchers in general.

The second driving change is a flood of inexperienced researchers joining the market to take advantage of the new economy. While, on the surface, this might seem like a negative change, experience shows us that this increase in numbers allows companies to tap into the powerful benefits of crowdsourcing. For relatively low costs, crowdsourced security testing produces better code coverage and realistic attack vectors.

These changes have created a new model in the disclosure market: "transactional disclosure." A transaction is a business arrangement where each side is equitably compensated in a simple, repeatable process. In the bug bounty market, a transaction is a monetary reward paid for submitting a security bug, and there are thousands of these transactions every year averaging small payouts of less than a few hundred dollars each.

More eyeballs & a new vocabulary
For experienced researchers disclosing serious, high-impact bugs, the process is well understood, but labor intensive. The expectation is that the effort to be rewarded will align with the reward. It usually involves a time-consuming process of revealing banking and tax information, along with other pieces of identity. In exchange for this effort, the reward is usually a large amount of money. With the coming generation of career bug bounty researchers making their money through higher volumes of lower-impact bugs worth less money, the effort on both sides is only worthwhile if the process for disclosure can be streamlined and efficient. 

Researchers expect communication and validation in a timely manner, and, as a result, a shorthand vocabulary has evolved: A submission is either a "valid bug" or an invalid submission. A “duplicate” is a valid bug that is either already known about from a previous submission, or it’s part of the original list of known bugs set in the terms of the policy. A bug can be valid, and still not be rewarded because it does not carry a high enough impact for the company to justify fixing it. These are examples of the sorts of predictable activities that are creating the basis for the CERT Division of the Software Engineering Institute's Vulnerability Disclosure Policy.

This army of eyeballs is changing the dynamic between the security team and the developers when they are handing off lists of vulnerabilities basically found in the wild. The crowd, with its volume, feels more like the public eye. With that comes the expectation that companies can commodify their responses in the same way researchers are commodifying their high volume of lower-impact bugs. It demonstrates that a vulnerability disclosure no longer lives in a vacuum, and when a researcher chooses to disclose, he or she brings to the table expectations shaped by every previous experience disclosing bugs to other companies.

The biggest sign that the model for vulnerability disclosure has changed is the emergence of new crowd-sourced security companies like Bugcrowd, where I work as a community manager for a crowd of over 8,000 security researchers. These third parties are streamlining the disclosure and payment process to the level of easy transactions. Researchers are able to use the same payment information across dozens of sites when testing for bugs, and are able to justify the effort more effectively. Plus, there is an added bonus of a layer of abstraction and anonymity between the researcher and the target company.

Bug bounties are becoming big business, and these crowdsourcing services are iterating the transactional model to make it as easy as possible to get as many bugs as possible out of the wild. Companies need to be aware that there is a new community of security researchers with evolving expectations about vulnerability disclosure. Those companies that do not stay in front of this trend may end up, not only with a breach on their hands, but with a lack of public sympathy as well. 

Marisa Fagan is the Community Manager for the crowd of more than 7,000 security researchers at Bugcrowd. She brings seven years of experience working with the information security research community to bridge the gap between companies and independent research. She's worked ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/29/2014 | 9:03:13 AM
Re: About time!
Marisa, 

How widely recognizd and adopted -- amoung bounty hunters -- is the CERT Software Engineering Institute's Vulnerability Disclosure Policy?
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
4/28/2014 | 7:10:46 PM
Re: About time!
In my professional opinion it appears that many of the large players in the market have adopted the pay for bug mentatility, Yahoo included.  I believe it was shortly after the Yahoo incident when the Microsoft and Facebook backed HackerOne site was launched to create a central location for bug bounties.  

Obviously there are still hold outs to the new norm but I would say they are now a minority.  Moving forward any large companies that refuse to pay for bugs may find themselves on wrong side of a vulnerability.
dumbledin
100%
0%
dumbledin,
User Rank: Apprentice
4/28/2014 | 5:36:22 PM
Re: About time!
yes!! Yahoo pays me on HackerOne have received $15000 to date. can't use bugcrowd for bounties there. very happy of hackerone team for bounties and hackers :)
MarisaFagan
100%
0%
MarisaFagan,
User Rank: Author
4/28/2014 | 4:07:07 PM
Re: About time!
Robert, Yahoo is a fantastic example of this growing trend towards paying external researchers. 6 months after the Yahoo "Tshirt-gate" media coverage, their security team is now paying out a minimum $250 bounty for bugs that demonstrate a security impact. 
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/28/2014 | 3:17:49 PM
Re: About time!
Robert, do you think the security industry recognize and understands the new role bug bounties play in vulnerability management? Or are most of them still in a T-shirt mentality?
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
4/28/2014 | 2:37:20 PM
About time!
As this article points out, bug bounty programs are not a nicety but rather they are necessary.  For example, just last year a security firm reported four separate XSS vulnerabilities to Yahoo and their reward, a tee-shirt.  The moral of the story, if the security researcher is not properly compensated for their work then they may sell the information to someone who is more generous. 

Link to Yahoo story
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.
CVE-2019-6659
PUBLISHED: 2019-11-15
On version 14.0.0-14.1.0.1, BIG-IP virtual servers with TLSv1.3 enabled may experience a denial of service due to undisclosed incoming messages.
CVE-2019-6660
PUBLISHED: 2019-11-15
On BIG-IP 14.1.0-14.1.2, 14.0.0-14.0.1, and 13.1.0-13.1.1, undisclosed HTTP requests may consume excessive amounts of systems resources which may lead to a denial of service.
CVE-2019-6661
PUBLISHED: 2019-11-15
When the BIG-IP APM 14.1.0-14.1.2, 14.0.0-14.0.1, 13.1.0-13.1.3.1, 12.1.0-12.1.4.1, or 11.5.1-11.6.5 system processes certain requests, the APD/APMD daemon may consume excessive resources.