Roaming throughout the countryside, dangerous desperados are awaiting in their hideout for the perfect opportunity to rob their victims in silence. Powerless, the authorities have posted wanted posters on public boards with cash bounties for any information that could lead to their arrest or death, hoping that good citizens will rise and bring justice to the country.
Soon, brave cowboys decided to take on the challenge. Looking for fame and fortune, they explored the arid deserts for any trail leading to their targets, pursuing the tiniest of details until they finally found some of the scoundrels.
Unfortunately, unskilled citizens and charlatans seeing the news also wanted a piece of the pie, and hoping to do so without putting in the effort. They started to unwillingly harass the ignorant officer assigned of processing the reports from the public, which was less than happy about the situation, and soon became frustrated and jaded.
The heroic cowboys, however, were oblivious of the situation. Proud of their accomplishments, they returned to meet the same agent to collect their bounties, and were rather surprised about how their reports were processed. One was disregarded as the information was already known months ago. Another was not applicable since it reported something in the wrong jurisdiction despite contradicting official maps. A third was ignored because the criminals were not notorious enough. A fourth used jargon that the agent misinterpreted. A fifth was never read seriously. A sixth was rejected due to insufficient evidence. And so on, and so forth. While the flabbergasted claimants appealed, they generally just led to more wasted time for everyone.
And yet, the starving souls persevered in their adventures. They started to group together and encouraging each other with tips to be more efficient trackers, and work around the obtuse and seemingly-arbitrary rules of the officer. They would enter friendly competitions with each other to prove their worth, and learn from the best. One day, they would prevail and realize their dreams, they thought.
The unfortunate truth is that only a few were talented and determined enough to rise among the rest and become local celebrities. And even then, most could not rake in enough money to survive. But despite this, they continued forward, motivated by a never-ending desire for catching the bad guys and bringing them to justice, until they either starved to death or were forced to retire. The boldest would keep their dreams alive against all odds, chasing bandits around the countryside during their free time as a hobby of sorts, while looking at the sunset for a better future.
The end... or so everyone thought, until history would repeat itself.
Because this isn't just a bad Western story. This is also what's happening in the cybersecurity industry nowadays. Replace the criminals with software vulnerabilities and the cowboys with freelance security researchers, and the story still holds. In fact, it becomes a story in which I participated myself for a little while as a potential career, until I realized how ruthless and fundamentally broken the current economic model of bug bounties really is.
Bounties on computer bugs?
The basic idea of bug bounties is rather simple: an organization allows people to attempt to hack some of their systems up to a reasonable limit, and in exchange people that privately reports found vulnerabilities receive rewards proportional to the business risk associated with their exploitation, as long as they are the first to report each of the vulnerabilities. Reward amount ranges must also be clearly posted in advance for each applicable weakness type (for example by CWE ID) or vulnerability severity (for example by CVSS base score).
This system has a few advantages. First, it encourages people to report problems that they would not privately disclose otherwise. Second, it serves as a security audit of last defense. Third, it gamifies the work associated with performing security audits, encouraging people in the activity without having to unnecessarily pay them.
In fact, the gamification works so well that some organizations don't even bother giving cash rewards, and instead grant points to participants for notoriety purposes only. And yes, there are people stupid enough to agree in such free labor for profit-making organizations; I've even personally encountered a foolish security researcher that directly encouraged me to do so!
The other side of that system however, is represented in the story from the introduction: there is too much competition in the field, and said competition is not necessarily talented. Script kiddies performing low skill attacks without understanding what they're actually doing is pretty common, unfortunately.
This causes a lot of noise to sort through by people that may not be familiar enough with cybersecurity to do a good job of doing so, and that's if they even care in the first place. For example, whenever I would ask for help from fellow freelance security researchers, the help I would generally receive came from people less talented and knowledgeable than I already was about the topic I was asking about, and sometimes said help would be completely irrelevant and distracting. While I've heard from some of them that they really enjoyed belonging in a community that would help each other, I felt more like being lost in a sea of children scrambling to get their homework done together without any understanding of what they were trying to do.
Plus, organizations may be reluctant to post or award competitive bounties because they think that they may not be able to afford it, or simply due to blind greed. For example, a previous work colleague told me that they had a bug bounty program in place in their organization, but abandoned it because it wasn't considered to be worth the maintenance costs after all. In another example, I had another organization refusing to award me the posted bounty despite a working exploit that stole the social security numbers of customers, and despite them acknowledging that I had correctly complied with their posted bug bounty program guidelines. This is absurd on both sides of the relationship.
While it is possible for an organization to mitigate the competition issue by only allowing noteworthy security researchers to perform hacking attempts in a private program, doing so like this is far from perfect. I can speak for experience on this regard, as I had joined a private program myself, the Synack Red Team, from which I made a whopping total of absolutely nothing in gross revenue. I was personally hoping that my extensive expertise in software development and cybersecurity would give me an edge, but this has proven to be insufficient for success. In fact, every single single security researcher I have interviewed that was part of that private program, including very talented hackers on top of the leaderboards and even one of their official ambassadors, admitted to me that they could not make it a full-time job if they wanted to.
From my analysis, I can only conclude that, in general, only the fastest researchers and/or the hyper-specialized researchers have a chance to make a living out of it... and those are things that should be better handled by manual and automated testing performed internally or by consultants anyway.
Which leads me to my next point.
Cowboys versus sheriffs
While it makes sense to have jobs being compensated proportionally to the value of generated accomplishments, limiting such accomplishments to the gravity of exploits found is not. The reason is that security research is not about finding vulnerabilities, but about assessing the strength of defenses. Having a bunch of people potentially trying to validate the same thing over and over again is simply not productive for anyone.
It's worth nothing that Synack is in a unique position to implement a few measures with its private Red Team program to mitigate this, but without going into details, during my time in that team, these measures were rarely helpful to me, and sometimes caused even more problems than they solved. Despite some good ideas and innovations, they were mostly wasted due to questionable implementation.
Considering this, I believe the problem is using bug bounties as a means to receive community-driven security audits (cowboys), instead of investing in professional security audits (sheriffs). And by professional, I don't mean hiring a consulting firm for yearly audits, but rather having a strong internal strategy to mitigate security risks, and assess defenses constantly throughout development. Besides, if a freelance security researcher would come up with creative solutions to exploit your system, wouldn't you want to hire them to look for more anyway? That sounds much better than a one-time cash reward to me!
An important keyword here though is "creative". It's easy for an organization to say "we take security very seriously", but it won't help without people actually doing so. And again, leaving that responsibility to random freelancers on the Internet is most likely insufficient.
I'm not sure if it's possible to write a universal security strategy, but I believe good ones should at the very least include:
- Coding standards that mitigate such risks.
- Test automation to detect such risks.
- All features sufficiently documented.
- A zero tolerance policy for bugs.
- Full-stack developers.
- Creative researchers dedicated to finding flaws, and documenting their efforts.
- Mitigating the re-occurence of a given type of flaw whenever one is detected.
As you can see, bug bounty is nowhere to be found in that list. Security research, just like the rest of quality assurance, should be embedded in all stages of development in my opinion. And if you get really confident in your security, feel free to announce bug bounties with huge payouts to prove it to the world! Until then, if you may be lacking in the required expertise to course-correct, I would recommend reaching out to external partners to help you make the transition, as fellow sheriffs to guide you on the path towards prosperity.
So, how can you improve your security strategy in your organization? 😉
While there is no denying that Scrum revolutionized the software industry for the better, it may seem a little strange to read about someone that dislikes it despite strongly agreeing with the Agile Manifesto, considering the creator of Scrum was one of its signers. However, after having experienced…
The following is a collection of free international standards, registries and references that I collected throughout the years while developing websites and web services. These references, while very precise and technical by their nature, are extremely useful in order to ensure that a specific…
I crafted a tool-assisted speedrun (TAS) of the Super NES action-adventure game Illusion of Gaia (also known as Illusion of Time in Europe) which beats the game as fast as possible on the American version. The final time is 16:48 when using TAS timing (from initial power on to the last input) and…
For about 2 years, I was not able to install any new software on my PlayStation Vita, for seemingly no reason. I could make new purchases from the PlayStation Store, but the download would always fail, and only on my Vita. No issues whatsoever with my PlayStation 3 nor my PlayStation 4, but for some…
"Everything must be done now. Let's re-use existing proven solutions and build over them so we don't waste time." And thus, people will look at the top 2 or 3 most popular solutions they already know about or can easily find on the Internet, compare them, pick the best one, and maybe add or change…
See all of my articles