Vetting researchers builds trust in bounty programs
Bugcrowd’s recent State of Bug Bounty report noted that many bug bounty programs are commonly run on third-party platforms that, “manage the operational end of the programs, bringing the research community together and handling the payment process, opening up the opportunity for more companies to successfully run bug bounty programs.”
While companies from Facebook and Google to Tesla and United Airlines have popularized bounty reward programs, more conservative enterprises outside of the technology industry, such as larger financial services and healthcare organizations, have not been as comfortable taking the leap of faith that the benefits of bounty programs outweigh the risks. This tentative response across industries outside of tech has led to the rise of private or invitation-only programs.
[ ALSO ON CSO: How (and why) to start a bug bounty program ]
Jay Kaplan, CEO of Synack, said that for these more conservative enterprises, it is, “really important to have contractual obligations.” Companies want to know who they are dealing with, and a vetting process that includes background checks and behavioral interviews can winnow down the candidate pool to the most trustworthy prospects.
“Candidates need to be well versed in techniques, but a vetting process has to be about both skills and trust,” Kaplan said. The vast majority of enterprises want to know that the people they are dealing with can be trusted.
“Some companies,” Kaplan noted, “will never be able to take that leap of faith that they can trust doing business with hackers who haven’t gone through some screening process.” Kaplan said as more success stories reveal the efficacy of private bounty programs, “more conservative organizations will adopt these measures.”
There have been a lot of security successes in both public and invitation-only bounty programs. The successes run the gamut from finding criminals gaining access to files or transferring money from accounts to a variety of other serious issues that have gone undetected for months.
The Bugcrowd report noted that 67.7 percent of the vulnerabilities detected in public and invitation-only programs included, among other flaws, information leakage, password recovery, lack of security headers, and authentication issues. The top six vulnerabilities that make up the remaining 32.3 percent of issues include XSS, CSRF, Clickjack, Mobile_Device, SQLI, and Mobile_Net.
Bounty programs join together those who are capable of finding these and other vulnerabilities with those enterprises who need to protect themselves against criminals with malicious intent. Perhaps a different way of looking at bug bounty programs is to move beyond the connotations associated with the word ‘hacker’.
Alex Rice, CTO and co-founder HackerOne said, “The hacking process naturally identifies security flaws or weaknesses. The goal is to have conversations with the people who have good intentions.”
Hacker doesn’t equal criminal. “A hacker,” Rice said, “Is anyone who thrives on how things are put together, which is IT security personnel, all the way to some with grayer backgrounds.”
In 2011, Facebook decided to build and maintain a very strong relationship with the hacker community, said Rice, but they were very transparent about problems they had and looked for ways to solve those problems. “They worked at both the reactive and proactive level, and it became an ingrained procedure to have conversations with external people about something that went wrong,” Rice said.
What proved to work in this intimate relationship between the hackers and the enterprise, according to Rice, was a gentleman’s agreement of a responsible disclosure policy. “It legitimizes the activity of hackers on the platform when an enterprise says, ‘if you follow these steps and behave in good faith we will never do anything against you,’” Rice continued.
Indeed, there are many people out there who are capable of breaking security, but “The more creative minds you have the more likely it is that they will be successful, and the more difficult it is for a criminal to compromise,” Rice said.
Almost all of the vulnerabilities discovered are things that can be accessed or exploited remotely, Rice said. “Deep in the code base. Someone on the inside might recognize that there might be a security flaw if all these other things are true, but bounty is somebody on the outside.”
Many vulnerabilities are somehow connected to the Internet. The majority of them are web, mobile apps that run on the platform through open source. Rice said, “There is a tremendous amount of diversity that they find, so it’s a challenge to try and categorize them.”
What every enterprise has in common, though, is that they are susceptible to vulnerabilities that allow someone to completely compromise a network from the outside.
Marrying the powers of inside and outside talents requires a shift in thinking. It’s sharing the keys, which feels downright scary for some enterprises. Rice said, “This is something that everyone has universally gotten wrong, living in this delusion that they can solve security issues by themselves.”
“You have to ask for help. Asking and incentivizing others to find out what you are missing. A criminal only needs to find one vulnerability, and you as the defender need to find all of them. You can’t,” Rice said. Bounty programs are essentially asking hundreds of other people to identify that thing they think they might have missed or they don’t know that they missed.
Sean Curran, director in West Monroe Partners’ Technology Infrastructure and Operations practice, said,“Bug bounties have also led to the development of automation tools and bug identification techniques that can be used to assist with quickly identifying poor coding practices or potential vulnerabilities.”
The greatest challenge with security is that very little can be categorized. Curran said, “As we continue to see an increase in the Internet of Thing market, which includes extending connectivity to devices that were traditionally never designed to be publicly accessible, we will continue to see products that lack the security controls and security maturity of traditional software products.”
These evolutions in technology open more doors for vulnerabilities to go undetected. “There is no one flaw or flaw type that is missed. Each product presents a unique solution solving a unique problem. The vulnerabilities in Java differ widely from those in Internet Explorer,” said Curran.
It is this uniqueness that results in the challenges with identifying and resolving every bug possible, Curran noted. “If it were that simple, we wouldn’t see the vulnerabilities we do today because someone would automate a solution,” he continued.
“The US DoD and DARPA run annual challenges that could be construed as bug bounties. They have recognized that the power of many minds looking at problems through different lenses and with different experiences can result in innovative approaches to solving a problem,” Curran said.