As criminal activity on the internet continues to accelerate, bug hunting for cash has begun to attract more and more security researchers.
In its latest annual report, bug bounty platform Intigriti revealed that the number of analysts signing up for its services has increased 43% from April 2021 to April 2022. For Intigriti alone, that means the addition of 50,000 researchers.
For the most part, it noted, bug bounty hunting is part-time work for most of those researchers, with 54% having a full-time job and another 34% being full-time students.
“Bug bounty programs are quite successful for both organizations and security researchers,” observed Ray Kelly, a fellow with WhiteHat Security, an applications security provider in San Jose, Calif., which was recently acquired by Synopsys.
“Effective bug bounty programs limit the impact of serious security vulnerabilities that could have easily left an organization’s customer base at-risk,” he told TechNewsWorld.
“Payouts for bug reports can sometimes exceed six-figure sums, which may sound like a lot,” he said. “However, the cost for an organization to remediate and recover from a zero-day vulnerability could total millions of dollars in lost revenue.”
‘Good Faith’ Rewarded
As if there weren’t enough incentive to become a bug bounty hunter, the U.S. Department of Justice recently sweetened the career path by adopting a policy stating it wouldn’t enforce the federal Computer Fraud and Abuse Act against hackers it deems acting in “good faith” when trying to discover flaws in software and systems.
“The recent policy change to stop prosecuting researchers is welcome and long overdue,” asserted Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation in Tel Aviv, Israel.
“The fact that researchers have, for years, tried to find and help correct security flaws under a regime that amounted to ‘no good deed goes unpunished’ shows the dedication they had to doing the right thing, even if doing the right thing meant risking fines and jail time,” he told TechNewsWorld.
“This policy change removes a fairly substantial obstacle to vulnerability research, and we can hope it will quickly pay dividends with more people searching for bugs in good faith without the threat of jail time for doing it,” he said.
Today, ferreting bugs in other people’s software is considered a respectable business, but that hasn’t always been the case. “Originally there were a lot of issues when bug bounty hunters would find vulnerabilities,” observed James McQuiggan, a security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.
“Organizations would take great offense to it, and they would attempt to charge the researcher for discovering it when in fact, the researcher wanted to help,” he told TechNewsWorld. “The industry has recognized this and now has email addresses set up to receive this kind of information.”
Benefit of Many Eyes
Over the years, companies have come to realize the benefits bug bounty programs can bring to the table. “The task of discovering and prioritizing vulnerable, unintended consequences isn’t, and should not be, the focus of an organization’s resources or efforts,” explained Casey Ellis, CTO and founder of Bugcrowd, which operates a crowdsourced bug bounty platform.
“As a result, a more scalable and effective answer to the question ‘where am I most likely to be compromised next’ is no longer considered a nice-to-have, but rather a must-have,” he told TechNewsWorld. “This is where bug bounty programs come into play.”
“Bug bounty programs are a proactive way of remediating vulnerabilities and rewarding someone’s good work and discretion,” added Davis McCarthy, a principal security researcher at Valtix, a provider of cloud-native network security services in Santa Clara, Calif.
“The old saying, ‘many eyes make all bugs shallow,’ rings true, given the lack of talent in the field,” he told TechNewsWorld.
Parkin agreed. “With the sheer complexity of modern code and the myriad interactions between applications, it’s vital to have more responsible eyes looking for flaws,” he said.
“Threat actors are always working to find new vulnerabilities they can exploit, and the threatscape in cybersecurity has only gotten more hostile,” he continued. “The rise of bug bounties is a way for organizations to get some independent researchers in the game on their side. It’s a natural reaction to an increase in sophisticated attacks.”
Bad Actor’s Bounty Program
While bug bounty programs have gained greater acceptance among businesses, they can still create friction within organizations.
“Researchers often complain that even when firms have a coordinated disclosure or bug bounty program, too much pushback or friction exists. They often feel slighted or pushed off,” noted Archie Agarwal, founder and CEO of ThreatModeler, an automated threat modeling provider in Jersey City, N.J.
“Organizations, for their part, are often stuck when presented with a disclosure because the researcher found a fatal design flaw that will require months of concerted effort to mitigate,” he told TechNewsWorld. “Perhaps some prefer such flaws would stay buried out of sight.”
“The effort and expense of fixing design flaws once a system is deployed is a critical challenge,” he continued. “The definitive way to avoid this is to threat-model systems as they are built, and as their design evolves. This equips organizations with the ability to plan and deal with these flaws in their potential form, proactively.”
Probably one of the greatest testaments to the effectiveness of bug bounty programs is that malicious actors have begun to adopt the practice. The LockBit ransomware gang is offering payouts to folks that discover vulnerabilities on their leak website and in their code.
“This development is novel, however, I doubt they will get many takers,” predicted John Bambenek, principal threat hunter at Netenrich, a San Jose, Calif.-based IT and digital security operations company.
“I know that if I find a vulnerability, I’m using it to put them in prison,” he told TechNewsWorld. “If a criminal finds one, it’ll be to steal from them because there is no honor among ransomware operators.”
“Ethical hacking programs have been enormously successful. It’s no surprise to see ransomware groups refining their methods and services in the face of that competition,” added Casey Bisson, head of product and developer relations at BluBracket, a cybersecurity services company in Menlo Park, Calif.
He warned that attackers are increasingly finding they can buy access to the companies and systems they want to attack.
“This should have every enterprise looking at the security of their internal supply chain, including who and what has access to their code, and any secrets in it,” he told TechNewsWorld. “Unethical bounty programs like this turn passwords and keys in code into gold for everybody who has access to your code.”