SoS Musings #43 - Crowdsourcing Security with Bug Bounty Programs

SoS Musings #43 -

Crowdsourcing Security with Bug Bounty Programs

Companies are increasingly enlisting the help of ethical hackers through bug bounty programs. Bug bounty programs are crowdsourcing initiatives that encourage security researchers to find and appropriately report the security issues they discover to the sponsoring organization. These programs support cooperation between security researchers and organizations, and allow researchers to receive awards to discover zero-day exploits and flaws in a particular application. The incentivization of vulnerability reporting by recognizing and compensating individuals for submitting findings regarding security exploits and software bugs allows organizations to crowdsource security testing to a community of hackers with the intent to enhance the security of the Internet ecosystem. According to HackerOne, a company that hosts bug bounty programs for organizations, including the US Department of Defense and Google, participating white hat hackers have discovered and reported more than 565,000 software vulnerabilities. They have earned over $100 million through their reports as of September 2020. HackerOne's fourth annual report also reveals an increase in organizations turning to hackers to help them find security holes in their cyber defenses and software during the COVID-19 pandemic as the expedition of digital initiatives supporting the transition to remote working has created new vulnerabilities. The report highlights the 86% year-on-year increase in total bounties, with more than $44.75 million paid out to hackers over the past year, most of which was rewarded by organizations in the US. Companies have adopted the bug bounty program model for a variety of systems.

Organizations in different sectors have turned to bug bounty programs to discover vulnerabilities in various applications. Microsoft launched a bug bounty program for its free, open-source Software Development Kit (SDK) called ElectionGuard aimed at improving the security, transparency, and accessibility of the voting process. Participating security researchers were asked to find flaws in ElectionGuard specification and documentation, verifier reference implementation, proof generation, proof checking code, and more, in return for rewards ranging from $500 to $15,000. The US Department of Defense's (DoD) tenth bug bounty challenge and fourth Air Force program called Hack the Air Force 4.0 invited ethical hackers to find and disclose vulnerabilities in the Air Force Virtual Data Center, which is a group of cloud-based servers and systems. A total of 60 hackers were able to uncover more than 460 vulnerabilities in the data center, which earned them over $290,000 in bounties. The submissions made by hackers in the previous editions of the Hack the Air Force bug bounty challenge resulted in the discovery of a total of more than 430 vulnerabilities and the payout of over $360,000 for valid findings. Since the Hack the Pentagon program launched in 2016, more than 12,000 vulnerabilities in DoD's public-facing web sites and applications and internal systems have been discovered. A team of security researchers participating in Apple's bug bounty program was rewarded $288,500 for discovering 55 critical vulnerabilities in the company's online services, some of which could allow attackers to compromise customer and employee applications and execute a worm capable of taking over a victim's iCloud account. Facebook paid security researchers a total of $2.2 million for reporting their discoveries of vulnerabilities to the social media platform's bug bounty program. One of the participating researchers received the highest reward of $65,000 from Facebook's bug bounty program for their discovery of a vulnerability that could result in data leaks from a copyright management endpoint. A security researcher reported a Denial-of-Service (DoS) vulnerability found in the Tesla Model 3 automobile's web browser through Tesla's bug bounty program that could lead to the dysfunction of the vehicle's touchscreen once the car's boarding computer visits a specific website. This vulnerability posed a significant threat to safety as it could disable autopilot notifications, climate controls, navigation, the speedometer, and Tesla's other essential functions. The expected increase in Internet of Things (IoT) devices, resulting from the roll out of 5G connections will not only increase cybersecurity risks, but will also likely drive the growth in the adoption of bug bounty programs. The effectiveness of these programs depends on various factors.

There are certain aspects for organizations to consider before adopting a bug bounty program to increase its effectiveness. Organizations must realize that these programs do not eliminate the need for secure software development, ongoing vulnerability scanning, software testing, and penetration testing. Bug bounty programs are meant to be incremental to those practices in that they are designed to find the security bugs that internal and external testing processes miss. Organizations must have an in-house security program already in place to protect valuable assets because sole dependence on bug bounty programs is not enough to fill gaps in an enterprise's security. Researchers from the Hong Kong University of Science and Technology published a paper titled, "Bug Bounty Programs, Security Investment and Law Enforcement: A Security Game Perspective," emphasizing that the use of bug bounty program is not a one-size-fits-all solution and that there is still a need to assess the security environment, value of systems, vulnerabilities faced by these systems, and in-house protection methods to increase the effectiveness of such programs. Katie Moussouris, MIT Sloan School of Management visiting scholar and former Chief Policy Officer for HackerOne, gave a presentation at the 2018 RSA Conference. She discussed the elements needed to derive value from bug bounty programs. These elements include understanding commonly discovered flaws by bug bounties, fixing those bugs internally, and avoiding "low-hanging fruit" security flaws, which are vulnerabilities that are easy to detect and fix, such as XSS bugs, SQL injection, improper access control, and more. Participating white-hat hackers should be encouraged to find new and more complex vulnerabilities. There are certain steps that organizations should take when designing and administering bug bounty programs.

The Department of Justice (DoJ) provided guidance for organizations to follow when adopting bug bounty programs to reduce the risks associated with such programs. Organizations are urged to set the scope for adopted bug bounty programs to specify what data and systems are subject to exploration, as well as the methods that can be used to find vulnerabilities. If an organization wants to include systems containing sensitive information in the bug bounty program, it must consider imposing restrictions regarding accessing, copying, transferring, storing, and using such information. It is essential to make the procedures and form in which participating hackers can submit discovered vulnerabilities clear. Organizations should determine who should be the point-of-contact responsible for receiving and handling disclosure reports. A plan should also be in place for handling accidental or deliberate malicious violations of established bug bounty program policies or procedures. Vulnerability disclosure policies should clearly specify what conduct is authorized and unauthorized, and the consequences of violating program rules and complying with the policy. Participating hackers should also be encouraged to seek clarification before performing actions that the policy may not address or may result in a violation. The rules of the bug bounty program must also be easily accessible and available to participants. The procedures, policies, and channels for reporting vulnerabilities in a bug bounty program must be made clear to participants to prevent the improper disclosure and handling of discovered vulnerabilities.

Bug bounty programs are expected to grow in adoption due to the increase in remote work during the COVID-19 pandemic and advancements in technology, which will create new cybersecurity vulnerabilities. It is essential for organizations and the security community to further explore the benefits and challenges associated with such programs to increase their effectiveness in improving security.