Companies need all the help they can get to stay one step ahead of the next big security vulnerability, and sometimes that means relying on outside forces.
Bug bounties elicit security help and advice from independent hackers and security researchers usually in exchange for a cash reward. The hacker scours the site, discloses the vulnerability to the company, it gets patched, and the hacker pockets some money. Bug bounty programs have been around for a long time. But in recent years, they’ve become much more common.
Facebook has paid out millions in rewards to bug hunters over the years. Earlier this year, Anand Prakash, a security engineer from India, discovered and disclosed a major bug that would have allowed him to potentially access any account. He found that it was possible to make an infinite number of PIN attempts upon resetting an account if you’re using beta.facebook.com, the developer site for new features not yet rolled out to the masses.
“In-house testing does not compare with using the crowd, via bug bounties, in terms of effectiveness.”
“I was able to view messages, his credit/debit cards stored under payment section, personal photos and more,” he said. The discovery (which was promptly fixed) netted him $15,000, and there’s no evidence that the vulnerability was ever used by malicious attackers.
The bug itself is quite simple, but had severe implications, and somehow went undetected by Facebook’s own teams. After all, security pros are still only human, and a second opinion can make a huge difference. Which is why we’ve seen a bloom in bug bounty programs from major players like
Who’s hunting bugs?
Neal Poole, a security engineer at Facebook, took part in several bounty programs before eventually joining the social network and continues to hunt for vulnerabilities. He believes bug bounties make the Internet safer for everyone.
“The people participating in our program represent a huge pool of security talent. In a number of cases these are people who we wouldn’t be able to hire full time even if we tried,” Poole told Digital Trends. “They enjoy using their talents to make Facebook and the people using it safer. A bug bounty program provides us with a way of compensating those people for their time, effort, and skills.”
Social networks like Facebook aren’t alone in running programs. Shutterstock used to have an internal rewards program for staff to spot and submit bugs, but it has since sought help elsewhere.
“With time, we moved beyond the internal bug bounty system and have a profile up on hackerone.com that invites private researchers to find bugs in our system, and we will pay them out for it,” said Sandeep Chouksey, Shutterstock’s VP of engineering.
Casey Ellis, CEO of Bugcrowd, says opening up a bug bounty on a site like Bugcrowd creates a go-between for the company and the researcher that can “speak both hacker and business.”
“Fundamentally what we’re doing is taking these two groups of people, who don’t really have a good history of understanding each other, or getting along, to be able to transact and exchange value,” he said.
“Simply put, in-house testing does not compare with using the crowd, via bug bounties, in terms of effectiveness,” added Alex Holetec, CEO of Hackable.io, a platform running programs for IoT companies.
Simply put, in-house testing does not compare with using the crowd.
Leveraging the crowd brings with it a diverse array of backgrounds and skill sets that are keeping a constant eye on the company’s security, while full-time staff can focus their attention on other matters.
“My engineers’ time and effort is better spent working on code quality, helping developers become better, more security minded developers in the long run. Operating the bug bounty allows us to leverage that outside community and get a near-constant stream of researchers prodding and poking at the system and reporting vulnerabilities,” said Shawn Davenport, VP of security at GitHub, which now pays up to $10,000. He continued on to say the continuous testing provided by bug bounties has proven more economical than an annual third-party assessment conducted by a security firm.
In recent weeks, Uber has joined the bug bounty bandwagon, and even the U.S. government is on board with its first security disclosure program at the Department of Defense.
But bug bounties aren’t a silver bullet for the bugs that in-house teams miss. Threats are always evolving, and bug bounty programs are inherently reactive.
“Although bug bounty programs will always be necessary, they ask cybersecurity experts to find issues after the fact and often times can result in new issues or rehash patched errors,” said Todd Inskeep of Booz Allen Hamilton and who sits on the RSA conference advisory board. “If cybersecurity experts and business leaders spend time designing/threat modeling for a more secure product upfront, we can save time and money in the long run, and reduce risk.”
When hackers go too far
Like everything in security, nothing is straight forward with bug bounties, either. Researchers and hackers still face criticism for their tinkering. Last year Wesley Wineberg, a security contractor with Synack, came to blows with Facebook over a significant Instagram bug.
Wineberg, who has claimed thousands in bug bounties in the past, found an exposed Amazon server run by Instagram that allowed him to run his own code. He was able to crack employee passwords and even download some non-user data. As he wrote at the time, “To say that I had gained access to basically all of Instagram’s secret key material would probably be a fair statement.”
The flaw was accessible for up to a month, claimed Wineberg, who carried out his research in stages while corresponding with Instagram. But the Facebook-owned company would eventually accuse him of going too far, and criticized him for writing about it online.
Facebook CSO Alex Stamos went to the CEO of Synack with concerns that Wineberg had “acted unethically,” and risked setting a precedent for ex-filtrating unnecessary amounts of data that goes beyond appropriate research.
The case highlighted the difficult balance that tech companies can face with security researchers. They want help with security flaws, but still want to maintain a certain level of control over disclosure, and how far hackers can go.
Last year, Oracle’s chief security officer Mary Ann Davidson courted controversy from the security community with a now-deleted blog post that excoriated hackers, researchers, and regular customers for overstepping their bounds, fiddling with products that aren’t their own, breaking license agreements, and infringing on intellectual property.
“Bug bounties are the new boy band,” she wrote. “Many companies are screaming, fainting, and throwing underwear at security researchers [sic] to find problems in their code.” She added that security researchers only find about three percent of bugs, and the vast bulk is discovered by companies’ in-house teams.
Bug bounties are the new boy band.
In a climate where many of the biggest players, from Facebook to Google, run generous programs, her attitude was not well received, but many still agree that there needs to be a balance met between the two sides.
“The company should retain a right to defend itself and say what’s ok and what’s not,” said Bugcrowd’s Ellis, though lines of communication between both sides need to stay open.
“That’s when you need someone who speaks both languages. You’ll have the hacker who thinks they’re right and thinks that they’ve played by the rules and they got information that’s important and should be listened to. Then you’ve got a company that quite frankly feels threatened by the whole thing, and is doing what it needs to do to defend itself.”
The bounty board is here to stay
Bug bounty programs are becoming more common, not just as a means for companies to solicit external help, but also to keep the conversation around security flowing. And the trend seems to be accelerating. In March, Google doubled its reward for the top bug in the Chrome program from $50,000 to $100,000, showing that the company is eager to find bugs and will pay dearly for their discovery.
“All in all what it comes to is that the internet is horribly vulnerable and it’s been horribly vulnerable for a long time,” Ellis told us. “The fact that people can think like bad guys but don’t want to be bad guys, and are willing to help is one of the most powerful forces that we have available to us.”
That, we think, rings true. It can be argued that bug bounties result in a lazy, reactive approach to coding — but programmers who lack attention to detail won’t magically become perfect if bug bounties disappear. While bounties should be used alongside other security practices, rather than relied on exclusively, they harness the talents of freelance coders who might otherwise be tempted to use their knowledge solely in their own self-interest.