As the talent gap in the security sector widens, crowdsourced security services like Bug Bounty-as-a-Service Platforms (BBaaS) are helping organizations bear some of the brunt.
Introduced by Netscape in 1995 and refined by companies like Google and GitHub, bug bounty programs are a useful way for security teams to leverage talent outside of their companies. The practice is now well established in the mainstream. By offering financial incentives to security researchers (or ethical / ‘white hat’ hackers) who discover vulnerabilities in their systems, organizations are able to leverage the power of crowdsourcing to have more security researchers working on the company’s behalf. They’re also, in part, mitigating their security threat by turning potential attackers into allies.
These programs have been around among large tech companies for some time, but for smaller companies, running such a program requires security resources and expertise to review and process the high volume of vulnerability submissions. To that end, we’ve seen BBaaS platforms like intigriti, HackerOne, and Bugcrowd fill the void for these companies – and even for governments – by acting as their bug bounty program operating system.
BBaaS platforms – intigriti, HackerOne, and Bugcrowd – give companies and organisations access to tens of thousands of freelance white hat hackers. They manage the hacker-customer relationship by establishing coordinated vulnerability disclosure policies (CVDs). These ensure that vulnerabilities are triaged, validated and reach the right ‘need to know’ people in a coordinated fashion. For organizations looking to employ quality over quantity, companies such as Synack bring together the top security researchers worldwide through a strict vetting process. Often, 90% of hackers who apply will be weeded out as substandard through an assessment of skills, trustworthiness and background checks.
Crowdsourced security is becoming specialized for size and industry.
With 10k new exploits per year, cyber crime has evolved into a large scale, global technology industry. Generating an estimated $1.5T in profits last year, this is now an industry that looks very much like legitimate tech companies, with organizational structures, recruiting, and specializations like medicine, autonomous vehicles and smart home devices. The white hat bug bounty community has had to adapt accordingly: only by keeping current with exploit tactics within emerging tech sectors do they stay a step ahead of the black hats they’re up against.
We will start to see formalized education programs within the various BBaaS platforms in the market as well as strategic partnerships between BBaaS platforms and specialized security vendors. Though maximum transaction value is at the enterprise level, I think we will also start to see bug bounty platforms move downstream by offering crowdsourced security services to earlier stage startups and SMEs.
Europe is still untapped but poised for growth.
2018 was a tough year for Europe: the exploitation of the EternalBlue vulnerability through the WannaCry and Petya/NotPetya ransomware attacks resulted in significant societal disruption in Europe and around the globe. The same year also saw the disclosure of Spectre and Meltdown, affecting nearly all computer chips manufactured in modern history. While some vulnerabilities are being responsibly disclosed, many severe vulnerabilities in European companies have been exposed only after substantial associated cyber attacks. In an effort to uncover vulnerabilities sooner, we will likely see wider adoption of BBaaS platforms in Europe and the UK.
According to the European Union Agency For Network and Information Security (ENISA), European corporates face a number of legal and cultural challenges limiting the adoption of CVDs and bug bounty platforms, summarized in brief below:
– Awareness of vulnerability disclosure has increased in recent years, but it is not yet standard practice in most business sectors within Europe. This is especially the case in sectors where vulnerability disclosure is less common or among organisations with less mature information security arrangements, such as the health sector. Organisations may also be faced with a ‘first mover’ challenge where an organisation is reluctant to be the first in their sector to implement a CVD or bug bounty program.
– Costs of implementation – Some organisations may perceive skewed cost-benefit calculations when it comes to implementing bug bounty programs. Organisations often need to develop processes, policies and procedures and dedicate resources to the management and operations of disclosure programs. There’s also the burden of managing the volume of erroneous or invalid reports. One study found that the volume of invalid reports can range between 35-55%, so this has significant resource implications.
– Lack of management support – A lack of understanding of and support for information security at the management level is a well-documented challenge in Europe. This also extends to issues of vulnerability disclosure and bug bounty programs.
– Legal barriers or uncertainty – Inviting largely unknown security researchers from anywhere in the world to explore and test an organisation’s systems could have unintended consequences. Organisations are concerned about the behaviour of security researchers, who may jeopardise system integrity, collect commercially sensitive information and intellectual property, or disclose data or vulnerabilities to third-parties, competitors or the public. There are also legal uncertainties from the white hats’ point of view.
This January, the EU launched the FOSSA bug bounty program offering up to €851,000 in rewards to white hats. In a validating co-sign for bug bounty programs in Europe, the EU in recent months is showing more signs of support for the adoption of CVDs and bug bounties. CVDs are incredibly complex and involve many stakeholders, such as software vendors, security researchers, governments, users and the general public. Given the complexities, organizations like the Center for European Policy Studies (CEPS) are urging for a European-level framework aligned with ISO standards for CVD as a “form of protection for security researchers”. The quote goes on to say, “researchers involved in vulnerability discovery are often exposed to criminal or civil liability. The legal liability and responsibilities of security researchers should be fully clarified to enable them to continue their work without fear of prosecution – Safe Harbor is critical to enabling security research.” (Section 6.2.2, Protection of Security Researchers) This progression bodes well for bug bounty platforms playing in the European market – i.e. companies such as intigriti, Hackenproof, and YesWeHack.
It is estimated that by 2022, CSSTP (Crowdsourced Security Testing Platform) products and services will be employed by more than 50% of enterprises, up from less than 5% as of June 2018. Yet while crowdsourcing helps with scale and effort, it is still human-based. White hats working directly with corporate bug bounty programs and on BBaaS platforms, are encumbered by rules of engagement and permissions. As a result their defensive response can be slow. By contrast, black hat hackers work nimbly and without rules, so to some extent they operate at an advantage. It will be interesting to see how BBaaS platforms and corporates utilize automation in their bug bounty programs. Will they be able to improve speed as well as the experience for white hats and corporates – particularly around automating vuln report processing? If so, this will benefit organizations with limited security resources. For corporates running private bug bounty programs, there is scope for automation and improvement of the white hat onboarding process as well as the various legal and compliance hurdles.
Beyond Bug Bounties
The market for bug bounty platforms is maturing. It is exciting to see how the platforms and white hat communities are evolving, but it’s worth noting that bug bounty programs and crowdsourced security services are not a cure-all for a company’s security problems. The best and cheapest form of security remains NOT shipping bugs in the first place. To that end, corporates need to do a better job of instilling a secure-by-design mindset by promoting a harmonious relationship between DevOps and Information Security teams, achieving DevSecOps. There are technical and cultural challenges in DevSecOps – the cultural ones being arguably the most important…a topic that I will cover in a following post!