The threat from cybercrime has never been greater. As a result, corporations and governments are increasingly turning to hackers i.e. white hats for help with the promise of cash rewards known as bug bounties. And experts suggest that it’s the best way to boost cybersecurity.
Google the word ‘hacker’ and most images seen on the front page are that of a sinister individual in a black hoodie portrayed as the most dangerous criminal in the digital world. However, as the old adage goes, ‘it takes one to know one’. Ethical hackers have now become a valuable part of the cybersecurity battlefield. As companies race to push out software without thoroughly vetting it for security flaws, reliance upon the hacker community to find and report these security holes has become an increasingly vital component of software development.
With cybercriminals constantly exploring new attack methods, continuous security testing is fundamental to stay on top of threats. And seeking help from experts outside a company’s IT department, such as hackers and researchers, has become quite common among cybersecurity companies. As Detectify Crowdsource community manager, Carolin Solskär said, “Having a hacker’s approach to security testing software [can] help avoid pitfalls commonly exploited by hackers.”
As a result, bug bounty programs have become an effective way to find a much larger number of vulnerabilities and uncover bugs unknown to the public than an internal security team can do on their own. Companies get access to a global audience of skilled ethical hackers and can increase the chance of finding weaknesses within the applications before they are exploited by attackers. Bug bounties leverage crowdsourcing to report security exploits and vulnerabilities by incentivising white hat hackers who discover and facilitate the development of bug fixes before being exploited by cybercriminals. CSS head of cyber IT services E.J Yerzak said, “Bug bounties are reshaping the cybersecurity landscape, proving that just about anything can be crowdsourced nowadays.”
While bug bounties were controversial at first – since they reward hackers – they have now become increasingly formalised programmes. In fact, big organisations such as Google, Goldman Sachs and the US Department of Defense are already using bug bounty programmes as a way to bolster better security. For instance, in 2020, Google paid out $6.7m with its average bug rewards ranging from $100 to $31,337. In addition, Microsoft shelled out $13.7m to bug bounty hunters and Facebook paid $1.1m to researchers for reporting bugs on its platforms. Apple too announced a reward of $200,000 for a flaw in the iOS secure boot firmware components.
According to Yerzak, “Bug bounty programmes first emerged as a way for companies to compensate ethical hackers and security researchers for finding vulnerabilities that can be exploited. For the bug hunters, the payday complements the bragging rights which accompany a successful find.” In fact, payments to hackers for finding bugs increased 83% in 2019 and 26% in 2020 with some bounties surpassing $10,000, according to bugcrowd.com.
Penetration testing vs bug bounty hunters
The evolving sector of cybersecurity has shown that there is no single method for detecting vulnerabilities. From pen testing and fingerprinting to external attack surface monitoring and port scanning, there are a host of methods that companies can use to identify potential anomalies. In a typical software development lifecycle, testing for vulnerabilities is conducted by a team who puts an application through the paces of a standardised set of tests. For instance, web penetration testing is a process of testing a system’s security through simulated cyberattacks, using the same techniques as an attacker might. However, according to KYND CMO Melanie Hayes, “it’s scope is limited as the services are paid for to look at specific areas or systems.” Comparatively, bug bounty programs are broader in scope and can cover a larger swathe of areas. To ensure complete digital security, companies which subject their applications to regular penetration testing can also supplement that scheduled testing with a bug bounty program to leverage the masses to continually subject the application to potentially different methods and tactics. “Where this truly shines is the element of crowdsourcing as it is open to all eligible participants, rather than a single organisation or contractor, which can lead to more reported bugs in a shorter period of time,” she continued.
Echoing a similar sentiment, Solskär detailed that while pentests can give an in-depth view of a system’s weaknesses and vulnerabilities, they only offer a snapshot of the issues as the testing is not continuous. “Bug bounties programs, on the other hand, are a way for companies to get freelance ethical hackers to continuously find and report software vulnerabilities in their systems,” she added. Detailing the process, she said, ethical hackers begin at the reconnaissance stage where information is gathered to understand how a software or website works ‘behind the scenes.’ They then use automated tools and processes to find weaknesses in the system or process. “If you know a website runs on WordPress, then you would definitely search for WordPress vulnerabilities and misconfigurations,” she continued. The next step is to perform fuzzing which means providing invalid, unexpected or random inputs to URL parameters to see how the input is reflected in the application. “Based on the result, you can get an idea of where there might be security weaknesses and vulnerabilities, and look into those areas more in detail,” she explained.
Moreover, running a bug bounty programme might prove to be a more economical option for companies as they only pay when certain vulnerabilities are discovered. Yerzak said, “Companies do not have unlimited budgets to spend on preventative testing of their applications, in which payment is rendered regardless of whether the testing finds any issues or not.”
However, according to Solskär, managing a bug bounty program can quickly become an overwhelming task for organisations.“Before setting up a vulnerability disclosure program you need to have a proper internal process in place for handling the bugs and communicating with the hackers,” she said. “With cyber threats climbing the agenda for companies across industries, there is also more competition for the hackers’ expertise. For a bug bounty program to be successful today, companies need to pay competitively to motivate hackers.”
Another challenge with bug bounties is that they indiscriminately attract the attention of both blackhat and whitehat hackers. Yerzak said, “The benefits of a crowdsourced set of testing methods is partially offset by the risk of releasing software to the public before it has been adequately tested internally, because a significant vulnerability may be discovered by a black hat hacker and exploited before it ends up being reported by an ethical hacker.”
Future lies in the hands of hackers
Bug bounty programmes have been in use since the mid-nineties, so they’re hardly a new concept, but with cyberattacks soaring in the past few years they’ve grown in popularity. Clearly, the need for a robust digital security system is higher than ever. FinTech companies, in particular, saw a critical need for crowdsourced security due to the new challenges created by the pandemic and an increase in the activity of fraudsters trying to take advantage of compromised systems. According to Bugcrowd’s Priority One report, FinTech firms doubled their payouts for critical security vulnerabilities from Q1 of 2020 to Q2. With financial service providers being entrusted with personally identifiable information, the demand for cybersecurity continues to escalate, making it a top priority for companies to beef up their cyber defences. It is therefore unsurprising to see several cybersecurity companies rake in millions in capital. In Q1 2021, the CyberTech sector saw $4.1bn being pumped in driven by 17 deals of $100m or more, compared to just three such transactions recorded in Q1 2020, according to FinTech Global’s research. To add on, the list of CyberTech unicorns is growing rapidly with ten new startups joining the billion-dollar club in 2021.
According to Solskär, ethical hackers are undoubtedly becoming the cyber soldiers for companies in all sectors. She said, “By leveraging automation and building their own tools, bug bounty hunters can find vulnerabilities with low effort. With many organisations struggling to find cyber security talent, bug bounty programs can be a cost-efficient solution to improve the security posture.”
Looking ahead, Solskär believes that there will be a proliferation of more platforms capitalising on bug bounty programmes. She said, “We’re still in the beginning of this, and we will see bug bounties evolving a lot in the next couple of years. There will be more third-party solutions where businesses can set up and manage their own bug bounty programs more easily.”
Yerzak believes bug bounty hunters will disrupt the security sector and more companies will start using the power of the crowd to get access to critical bug research. He concluded, “Bug bounty programmes have changed the cybersecurity sector by leveraging a potentially limitless source of hopeful testers to find flaws in an application – sometimes at the expense of more thorough testing in-house before the application goes live.”