Viewpoints

Crowdsourcing security fixes with bug bounties

Kevin Townsend, 16 July 2020

Bug bounty programs can greatly benefit businesses and are used by some of the world's biggest tech and government organizations alike.

What are bug bounties?

Every company needs to find and fix flaws in its products or services. As software becomes more complex, feature-rich and integrated, it gets harder – if not impossible – to eliminate all bugs. Now that users have accepted an always-online ecosystem and live-patching of already released products, vulnerabilities in code need to be hunted on a continuous basis, and found and fixed quickly to reduce zero-day threats and protect sensitive data.

This can become prohibitively expensive for businesses, especially smaller software companies and startups – it would need a dedicated bug-chasing team operating continuously and indefinitely on full pay. Since bugs that can’t be found can’t be fixed, this team would provide no guarantee of consistency or effectiveness. Potentially, there could be zero improvement to the product, and no return on the cost of employing the team.

One solution has been the evolution of bug bounty programs. A bug bounty is a reward paid to an independent researcher for the discovery of a flaw, usually in the software, but also in firmware, hardware and business processes. The more likely and easily criminals could exploit the flaw, the greater the bounty paid out. However, since a bounty is only paid on the successful discovery of a bug, it is a cost-effective way of crowdsourcing bug hunting without the need to pay continuous salaries to in-house staff.

The bug bounty concept is successful. Hundreds and even thousands of bugs have been fixed in single months. It has become its own economic ecosphere, with a few security researchers earning a living entirely from seeking out critical bugs. While some bug bounty programs are closed – open to only invited or vetted security researchers – the most money circulates in open programs, which offer rewards to anyone discovering the bugs. 

Bug bounty systems

Independent bounty platforms

Many organizations handle their bug bounties via third-party platforms. These platforms provide services to companies who want to benefit from bug bounties without having to set up and promote their own infrastructure from scratch. Such platforms provide a centralized userbase of security researchers while helping businesses to manage their bounty targets and disclosure policies. There are dozens of bug bounty platforms around today, but two of the largest and most influential are HackerOne and Bugcrowd. Many other platforms exist, but these two hold status as the most important in today’s cybersecurity community.

HackerOne

HackerOne is probably the most populous bug bounty platform, with over 600,000 registered researchers as of February 2020. Hackers using HackerOne have been paid a total of more than $80 million since the company’s founding in 2012. HackerOne often encourages a concerted effort from their researchers to seek out a specific organization’s vulnerabilities by means of hype-building, competitive events. The ongoing Hack the Pentagon program, operated on behalf of the Pentagon, shows how much this approach can succeed. Even a limited, experimental pilot for the program in 2016 saw 200 bug reports submitted within the first six hours of the program’s launch.

Bugcrowd

The most well-established of the major bounty platforms, Bugcrowd incentivizes its researchers with gamification and bonuses. It offers both financial rewards and prestige badges for users based on how many valid reports individual researchers can make, and how many critical bugs they discover. Bugcrowd also uses its own priority-ranked taxonomy of threats, allowing for clear communication between researchers and clients and decisive bugfixes. Overall earnings for security researchers are high, with $1.6 million in rewards having been paid out in October 2019 alone.

Company programs

Some organizations operate their own bug bounties independently, without relying on platforms like Bugcrowd and HackerOne. This is viable for larger businesses that are already known to the hacker community, and can attract the attention of security researchers without third-party assistance.

Google

Google’s bug bounty program, called the Vulnerability Reward Program, was launched in 2010, making Google one of the first businesses to offer rewards to independent researchers. The program covers the Google, YouTube and Blogger domains, though various types of vulnerability are not covered by the program. Last year, Google set a record in total bounty program payouts, with over $6.5 million paid in rewards across 2019. Thanks to an increase in maximum payouts on various Google products and services, total bounty payouts have now exceeded $21 million.

Apple

Apple’s bug bounty program, called the Apple Security Bounty, was limited in scope and restricted to a closed team until last year. Before August 2019, it did not include MacOS devices and was severely limited to which security researchers could participate. This resulted in some hackers deciding to exploit vulnerabilities rather than report them. The expansion of the program also raised the maximum reward – for vulnerabilities which allow an attacker to gain complete, persistent, remote control of an Apple mobile device – to $1 million, which may be the world’s largest potential payout on a single vulnerability.

The European Union

The EU provides an unusual case of a semi-independent bug bounty program which also operates with the assistance of HackerOne and other bug bounty programs. Rather than applying to any kind of proprietary software, the EU has offered bug bounties on open source and free software since January last year, as part of its FOSSA (Free and Open Source Software Audit) project. Unlike many other programs which are active indefinitely, these bounties take place as time-limited projects to which any ethical hacker can contribute, operating with the support of various bounty platforms.

Avast

Services that keep users secure against even the newest emerging threats need to stay on top of any issues and vulnerabilities themselves. Avast Bug Bounty Program is open to any member of the public except Avast employees and their close connections, and covers almost all Avast products on PC, Mac and mobile devices. With a maximum payout of $10,000, helping Avast keep the level of protection its users expect can be rewarding.

Earning a living

It is possible for ethical hackers to make a living entirely from bug bounties, and those that succeed can make a very good living. In 2019, six of HackerOne’s registered hackers earned more than $1 million each. But this is only a very small group of elite ‘superstar’ hackers. Data suggests that, as of early 2019, even the top 1% of security researchers discover less than one vulnerability per month, on average, and earn annual payouts of just under $35,000. Enough to earn a living, though not a glamorous one.

The best that most bounty-hunters can hope for is an occasional small windfall to bolster their day job salary. Although bounty programs are highly successful for companies, dedicated threat-hunting red teams and in-house security researchers are still used extensively by larger businesses. This means that each bug bounty hunter is competing against not only other hunters, but also professional, full-time security researchers. AI and machine learning are also being used in bug hunting more and more, further reducing opportunities for an individual bounty hunter. Even aside from this, bug bounty programs have several flaws for both researchers and businesses.

The bugs in the bounties

Out of the hacker’s hands

The first hitch is that bounty payouts are entirely at the discretion of the company concerned. In almost all cases, bug bounty policies are honored in full, with disclosed errors rewarded promptly. On rare occasions there are still miscommunications or unethical responses from organizations, which leave the researcher with little recourse. It would be very easy for a business to say that a reported vulnerability had been discovered internally by an internal team and is just awaiting a patch as grounds for withholding the bounty.

In 2013, a Palestinian hacker discovered a critical vulnerability in Facebook and reported it to the bug team. The team misunderstood the report and deemed the vulnerability not to be a bug. Trying to act in good faith, the hacker used the vulnerability to post from Mark Zuckerberg’s account. This did result in the flaw being fixed, but Facebook argued the report had not come through the bug bounty program and consequently refused payout.

A clash of incentives

The bug bounty concept relies on the financial incentive for researchers to be the ‘good guys’, and to responsibly disclose security flaws. However, these financial incentives cannot always match those offered to black hats. Bug bounties encourage hackers to seek vulnerabilities, but once the vulnerabilities are found the researcher must decide between disclosure and exploitation. If a vulnerability could earn $100,000 when sold on the dark web or even directly exploited, a bounty of $10,000 just doesn’t wash. In these cases, only the personal ethics of individual hackers dictate the choice of action.

Bug bounties also reduce the incentive for businesses to release thoroughly tested products; in-house teams can be prohibitively expensive and operate with no guarantee of finding errors even when they exist. Bug bounties allow for products to be released with dramatically reduced testing time and expenses, relying on crowdsourced security research post-release to fix any vulnerabilities. Even if this makes more economic sense for the business, it still means releasing a potentially vulnerable product, along with all the risks to consumers entailed by security flaws.

No system can be perfect; if they could, perhaps bug bounties would not be necessary in the first place. Despite these issues, bug bounties have still been immensely successful in reducing vulnerabilities and rewarding researchers for important work. If you’re a security researcher and an Avast user, don’t hesitate to help improve any of Avast’s product line and check out the Avast bug bounty program for yourself.