Governments are pouring into bug bounty programmes; the UK is reluctant
The money paid out to hackers for disclosing vulnerabilities has risen sharply over the past year, a new report shows, with the average award for a critical vulnerability increasing 33 percent to $20,000 (£15,000) in 2017 for the top awarding programs.
That’s according to a new report from bug bounty specialists HackerOne; a company that allows organisations to get their networks and applications tested for cyber vulnerabilities – via its centralised platform – by a largely freelance coterie of hackers.
American Hackers Dominate, Germany on a Roll
Hackers in the US were the most successful, with 17 percent of all bounties awarded, with Indian and Russian hackers earning the second and third most, respectively. German hackers were on a roll meanwhile, earning 157 percent more in 2017 than in 2016.
The report comes after Gartner reported last month that “crowdsourced security testing is rapidly approaching critical mass, and ongoing adoption and uptake by buyers is expected to be rapid.”
Charl van der Walt, Chief Security Strategy Officer for SecureData Europe, told Computer Business Review: “Bug bounty programmes have absolutely been a good thing. They’ve given the offensive side of the fence a way to cleanly monetise vulnerabilities – selling on the black market is tricky; how do you know you’re not selling to a cop? – and generated a lot of really useful data.”
He added: “I was recently asked if participating is a bit like ‘painting a target on your head’. The short answer is no: there is no way of staying under the radar.”
“The bad guys will find you anyway. And these programmes can also really motivate a company: CISOs rarely get enough attention and participation seems to galvanise executives; things start happening that never did before.”
Credit: David ClodeThere was a significant increase in government sector participation in bug bounty programmes – up 125 percent on 2016 – HackerOne said, with new program launches including the European Commission and Singapore’s Ministry of Defense.
Government Participation in Bug Bountry Programmes Rises
Thirteen EU member states are currently contemplating the creation of a national coordinated vulnerability disclosure policy (CVD), according to Brussels-based think tank CEPS – which recently led an industry task force that has called on the European Commission to provide legal clarity for software vulnerability discovery and disclosure, warning that software researchers remain exposed to criminal or civil liability.
Despite widespread use of bug bounties by the US Department of Defense – for example its Hack the Pentagon programme – the UK remains wary of participating in such programmes across the public sector and has only recently started dipping its toes in.
Hackers with a Halo?
The UK’s National Cyber Security Centre (NCSC) for example, partnered with Luta Security in March 2017 to invite a select group of security experts to participate in the UK’s first government pilot for vulnerability coordination.
Bug finders only get a pat on the back however.
An NCSC spokesman told Computer Business Review: “As part of the NCSC’s Active Cyber Defence work, our Vulnerability Coordination Scheme helps security researchers to disclose vulnerabilities found in OFFICIAL Government IT systems and private sector organisations.”
“These disclosures help us in our mission to make the UK the safest place to live and work online. While the NCSC is not in a position to provide any monetary reward for reporting security vulnerabilities, we are giving people who want to do the right thing the means to do so.”
Transparency and Trust Issues Linger
The reluctance points to lingering concerns about pointing unknown adversaries in your direction. Advocates saying doing it through a well-managed programme is worth it. George Gerchow, Chief Security Officer at Sumo Logic started running an in-house bug bounty programme for his company in 2015, before switching to HackerOne.
He said doing it in-house raised three key challenges: the number of bug submissions that had to be verified; the need to organise a payment structure that was “fair and agile” enough and the stress on our DevSecOps team having to triage rate and score (CVSS) the bounties and prioritise remediation.
The CSO told Computer Business Review: “We started running bug bounties for the following reasons: we were getting a large volume of threatening emails from ‘independent researchers’ claiming to find vulnerabilities and looking for crypto payment. It was distracting our team from working on other priorities. Now when we get one of those emails, we just invite them to join our bounty programme.”
He added: “Inviting people to try and break your service makes you more secure. By working through our bounty portal, the hackers, our DevSecOps team and our development teams can all identify and fix issues in an agile fashion.”
Impact on Penetration Testing Industry
With the penetration industry in many sense doing similar work, what has been the impact of bug bounty programmes’ rise in popularity? (The former might typically cost £1,000 per day, while the bounty for a lower level vulnerability might average out at £500, according to industry insiders).
Charl van der Walt told Computer Business Review: “They’re very different industries. Many enterprises want that leverage over you they have as a pen tester. They might want you to test in pre-production; something the industry needs to shift towards doing more of and they want to push your processes into their risk mitigation systems.”
There’s scope, in short, for both. But one thing seems clear: interest in bug bounties onlooks set to grow. One area that is also showing rapid change, the HackerOne report adds, is adoption of of vulnerability disclosure policies (VDP) .
Goldman Sachs, Toyota, and American Express are among those to have launched a VDP in 2018 thus far, but with 93 percent of the Forbes 2000 still not having a public-facing VDP, the cultural shift is just beginning.