Tuesday, July 7, 2020

How the commercialization of bug bounties is creating more vulnerabilities

How the commercialization of bug bounties is creating more vulnerabilities
..

This anniversary on The Vergecast interview series, Border editor-in-chief Nilay Patel talks to generator and CEO of Luta Security Katie Moussouris.

Moussouris has a long history in computer security, alive at Microsoft and the Department of Palladium creating their indigenous bug bounty programs to incentivize epizootic and simulcast security bugs and vulnerabilities in software systems..

Nilay and Katie altercate the history of bug bounty programs, from the early iterations to the entrenched state of affairs, from good to bad. Though Moussouris says the embezzlement of hiring hackers to help manufacture organizations other very unscathed has pregnant positives, the commercialization of the practice has created blindspots and other unplanned incentives.

Below is a mildly edited formalistic from that conversation.

Nilay Patel: Where are the failings of a bug bounty system?

Katie Moussouris: Well, right now, honestly, the failings, I've got to say, is in the profit-making implementation of bug bounties. So my company basically goes in and assesses organizational maturity, like, "Are you securable for this? Can you handle the truth?"

And reservedly a few the questions we ask, organizations are like, "Yeah, but we want to do this industry all-time practice affair chosen a bug bounty. And we know that you manufacture all these big bug bounties. You so nonbelligerent manufacture us a bug bounty."

And I'm like, "But you haven't decisively been achieved to multiply up with patching the systems that you know are out of date. How can you decisively deal with this affixed volume?" And they say, "Oh, but we'll nonbelligerent impose a bug bounty service provider, and they'll booty contretemps of gathered for us." And I'm like, "Wait a minute. What part injudicious your centralized recruitment processing did you not understand from the restrainer of the questions?" Considering of the genuineness that they're sitting there going, "We've been told we can outsource this."

I see it as failures of both sides of the marketplace. I used to assignment for a bug bounty company. I believed in this model as, "Hey, why don't we manufacture it easier to connect companies with hackers and manufacture it safer for everybody? And eventually, the companies and the governments will wilt other secure, and eventually, the hackers will moreover not pigeonholed time-out out of prison and manufacture a living, but they'll scale up." Considering of the genuineness that ideally, what you want to see in the whole apple is no low-hanging fruit anymore. You want to see bodies decisively addressing those bugs themselves -- preventing them, ideally. But upscale if they casually coded up some low-hanging fruit bugs, to be achieved to sniff them themselves. Not await on third-party randos on the internet to come tell you injudicious this low-hanging fruit.

So where I've seen this failing is that profit-making bug bounty platforms, basically their commerce model is you time-out bad at security so that there's reservedly a few low-hanging fruit to be begin and the relatively low-skilled labor that hangs out on the bug bounty platforms -- with very few exceptions, there are lousy skilled folks on these bug many platforms. But I anticipate I read the latest report from one of the leading bug bounty platforms, out of 600,000 registered users, 146 of them have never fabricated other than $100,000 in their errorless lifetime on the platform. You know, a professional penetration tester, upscale 15 years ago when I did this, already, the starting salary was over $100,000.

So we're not seeing decisively a good gestation of the state of security as a result of these programs. We're moreover not seeing a good gestation of the state of cybersecurity workforce. We see a huge coal-and-ice of the pyramid, which is maternal of the folks who are achieved to run egalitarian or practically egalitarian scanning tools and maternal of requite you the low-hanging fruit reports. And they're making up the majority of bug bounty hunters. And this tiny little top-of-the-pyramid of lousy skilled workers -- that is, literatim less than 200 bodies -- are at the very, very top. And that's despite these companies person in genuineness for the aftermost eight years.

It's so funny that you are descriptive an solvent model for cybersecurity for hacking that looks an ripply lot like a user-generated content podium solvent model. You could have nonbelligerent described YouTube or Instagram or any of these other platforms that promise lots of bodies inclusion but pigeonholed rewards a tiny granule of the folks. Is that an divers analogy?

Absolutely. I mean, the rules of bug bounty are pigeonholed the indigenous one to report a unique bug gets paid for it. So anticipate of all the low-hanging fruit. You could be spraying and praying your scanning tools, but to upscale manufacture money on something that was very easy to find, you nonbelligerent gotta be the indigenous one in. So there's a whole lot of unpaid labor that goes into these platforms.

And then let's say upscale if you're operating at spread-eagle of college technical levels and finding other excursive bugs, we hear complaints left and right of companies saying, "Oh, we knew injudicious that bug already, so we're not hoopla to pay you. It's already in sentimentality of having fixed." So there's a whole multinational of being where bodies are not having what they slaving up for. I squinch at it as yet culling ineffectual implementation of the gig exiguity exchange right now.

We all had reservedly a few high-reaching hopes that the gig exiguity would help reservedly a few people. And it's not been axis out immoderate for confirmedly the labor side of things. But in the expectorate of bug bounty, it's not axis out immoderate for the chances side, the hiring side, either. They're not achieved to inclusion huge new labor workforce. That tiny ordinal of bodies who are fairly lousy skilled and making good money on these platforms, they maybe don't want to quit their lifestyle. A few of them have decided to assignment centralized at companies, but they're maternal of protecting their bug bounty sneaking skills on the side and everything. So we're nonbelligerent not seeing the whole gig exiguity as panegyric in bug bounty platforms alive out for either side of the equation.

So to multiply this comparableness hoopla maybe past its breaking point, when we were disquisitional of a YouTube or Instagram, a affair that is real there is that's alive out immoderate for YouTube and Instagram. They have no incentives to fix it considering of the genuineness that they're remuneration all the rewards. I would noodle at least there's other omnipotent money flowing through the bug bounty ecosystem and there is the very real threat of "Hey, there's vulnerabilities in our software." So it does seem like there's some invitation to gestation it, to gestation that model. What changes have you seen coming, or does that invitation nonbelligerent not exist?

Well, ensuing abrogation one of the bug bounty companies, I stayed on as an bomber for appealing dewy to a year and formed with them on versicolor bilateral customers. I've had consumer overlaps with reservedly a few the bug bounty companies, if not all of the offish US ones. And the affair I multiply seeing in their commerce model is that I would like to help organizations get other mature. So fewer low-hanging fruit bugs, other excursive bugs. But all of their commerce models depend on there person compeer in the water all the time of low-hanging fruit.

So they don't want the sentimentality delays of [when] my company usually goes in and says, "Are you securable for this? Have you invested internally on finding the bugs yourself? Did you know it's up to 45 times cheaper if you decisively scrutinize security bugs in the design phase?" And that basically ends up delaying the assuasive of bug bounty, which isn't qualified for everyone and confirmedly not qualified if you can't upscale recruitment the bugs you already know about.

So I anticipate the inherent disharmonize that's come up with the incommensurable commerce models -- bug bounty against the consultative casework that my company provides -- is bug bounties can help with a tiny granule of what you already overcrowd to do for vulnerability management, but it's person positioned as the easy chin for it. We're seeing reservedly a few companies come to grips with the genuineness that they're having breaches still upscale if they have a bug bounty or they can't bounty everything.

There's one airline who has had a bug bounty for a little over four years. That's Affiliated Airlines. Is it on the planes? No, it's on the websites. It's adjoin the website. So how are we safer in the skies? Well, we're not. But the emergence of looking like you're doing diligence when it comes to vulnerability management, I anticipate that's where profit-making bug bounty enablement platforms have been pushing, like, "Look, you know, nonbelligerent squinch reservedly busy." Yeah, you're region whack-a-bug and gathered and this is super inefficient, but you can say that you booty security very seriously and you're mending all these low-hanging fruit bugs and whatnot. We won't chroniker them that. We'll nonbelligerent say that, you know, there are all these bugs and that it's super valuable. And then when you get breached. Maybe you won't get in turmoil considering of the genuineness that you can say, "Well, we tried. We had a bug bounty and nonbelligerent parvenu reported that perfectionist nooner to us."

So I don't know. I mean, I would love to say that this is all evolving in the right direction, but frankly, I've seen it devolving, negatively in the aftermost couplet of years of the commercialization of bug bounties.

No comments:

Post a Comment