If you expect a bug bounty to find and fix your organisation’s hidden cybersecurity problems, you’re wrong. To steal a line from the late John Clarke, you’re a fool to yourself and a burden to others.
Bug bounties are certainly sexy. You’ll look like you’re engaging with the wider cybersecurity community, and you’ll get great media coverage when a hacker strikes it rich.
There’s also the belief that if your organisation doesn’t pay to know about the bugs, then organised criminals and nation-states will.
But the reality? You may well be paying out big bucks to find generic, easy-to-find vulnerabilities, according to Katie Moussouris, founder and chief executive officer of Luta Security.
“Not all bugs are created equal,” she told the Gartner Security and Risk Management Summit in Sydney on Monday.
The vast majority of bugs found via bug bounty programs are cross-site scripting [XSS] bugs, a known class of bugs that are easy to detect, and easy to fix.
“Why would organised crime or nation-states pay for simple classes of bugs that they can find themselves? They’re not going to pay some random researcher to tell them about cross-site scripting bugs,” Moussouris said.
“You should be finding those bugs easily yourselves too.”
Moussouris is a huge supporter of bug bounties, having run both the Hack the Pentagon and Hack the Army programs for the US military. But she says that relying on a public bug bounty program just creates the “appearance of diligence”.
“This is not appropriate risk management. This is not getting better when it comes to security vulnerability management,” she said.
Moussouris told the story of one security researcher who’d made $119,000 in a bug bounty program. That’s more than $29,000 per hour to find simple bugs in a known class.
“That’s a great ROI [return on investment] for that researcher. It’s a terrifying ROI for the organisation that paid him,” she said.
Security professionals researching new and complex classes of vulnerabilities are paid well, but nowhere near $29,000 an hour. Simple bugs can be found way, way more cheaply.
Bug bounties can also have a low signal-to-noise ratio, as shown in statistics from HackerOne.
Of the more than 300,000 registered hackers, only around one in 10 has found something to report, and only a quarter of those have been paid a bounty. Only 1000 hackers have earned $5000 or more, which is less than a third of a percent of the total.
Another hacker made a million dollars over three years. But to do that, he filed more than 1600 bug reports, only 128 of which were critical.
“He really was just jamming away with those publicly-available tools — honing his skills certainly — but nowhere near the skill level and the value delivery over that three years that equates to a million dollars,” Moussouris said.
Whether an organisation has a public bug bounty program or not, most have no organisation pipeline for handling them.
Only three of the exhibitors at Gartner’s summit in São Paulo, Brazil, earlier this month could tell Moussouris how to report a vulnerability to their organisation. One exhibitor even said something like “No, we don’t have vulnerabilities. We protect you from vulnerabilities”.
They’re not alone. Some 94% of the Forbes Global 2000 companies have no published way to report a security vulnerability, she said. Few have a formalised process for validating and triaging vulnerability reports and making sure they’re fixed.
Then there’s the eternal problem of basic cyber hygiene. Moussouris says we “struggle as an industry” to deal with the last-kilometre problem of actually applying the patches.
“A lot of the patterns [have] not actually shifted that much from where we were when I started out professionally 20 years ago as a penetration tester,” she said.
“We’ve created a $170 billion industry, which, we’re really good at a few things, security not exactly being one of them. Marketing, definitely.”