As criminal activity on the Internet continues to accelerate, the search for bugs for cash has begun to attract more and more security researchers.
In its latest annual report, the bug bounty platform Intigiti revealed that the number of analysts signing up for its services increased 43% from April 2021 to April 2022. For Intigriti alone, that means the addition of 50,000 researchers.
For the most part, he noted, bug bounty hunting is a part-time job for most of those researchers, with 54% having a full-time job and another 34% being full-time students.
“Bug bounty programs are quite successful for both organizations and security researchers,” said Ray Kelly, a member of White Hat Securityan application security provider in San Jose, California that was recently acquired by Synopsis.
“Effective bug bounty programs limit the impact of serious security vulnerabilities that could easily have left an organization’s customer base at risk,” he told TechNewsWorld.
“Bug reporting payments can sometimes exceed six figures, which can seem like a lot,” he said. “However, the cost to an organization to remediate and recover from a zero-day vulnerability could total millions of dollars in lost revenue.”
Reward of ‘good faith’
As if there wasn’t enough incentive to become a bug bounty hunter, the US Department of Justice recently sweetened the race by adopting a policy stating that it would not enforce the federal Computer Fraud and Abuse Act against hackers who considers that they act in “good intentions”. faith” when trying to discover flaws in software and systems.
“The recent policy change to stop prosecuting investigators is welcome and long overdue,” said Mike Parkin, senior technical engineer at cybernetic vulcana SaaS provider for enterprise cyber risk remediation in Tel Aviv, Israel.
“The fact that researchers, for years, have tried to find and help fix security flaws under a regimen that amounted to ‘no good deed goes unpunished’ shows the dedication they had to doing the right thing, even if doing so meant take a chance fines and jail time,” he told TechNewsWorld.
“This policy change removes a pretty significant roadblock to vulnerability research, and we can expect it to quickly pay dividends with more people looking for bugs in good faith without the threat of jail time for doing so,” he said.
Today, discovering bugs in other people’s software is considered a respectable business, but it hasn’t always been that way. “Originally, there were a lot of problems when bug bounty hunters found vulnerabilities,” observed James McQuiggan, a security awareness advocate at SaberBe4a security awareness training provider in Clearwater, Fla.
“Organizations would get very offended and try to charge the researcher to find out when, in fact, the researcher wanted to help,” he told TechNewsWorld. “The industry has recognized this and now has email addresses set up to receive this type of information.”
benefit of many eyes
Over the years, companies have realized the benefits that bug bounty programs can bring. “The task of uncovering and prioritizing vulnerable and unintended consequences is not, and should not be, the focus of an organization’s resources or efforts,” explained Casey Ellis, CTO and founder of crowd of bugswhich operates a crowdsourced bug bounty platform.
“As a result, a more scalable and effective answer to the question ‘where am I most likely to be compromised next?’ it’s no longer considered nice, but essential,” he told TechNewsWorld. “This is where bug bounty programs come into play.”
“Bug bounty programs are a proactive way to remediate vulnerabilities and reward someone’s good work and discretion,” added Davis McCarthy, principal security researcher at Valtixa cloud-native network security services provider in Santa Clara, California.
“The old saying, ‘many eyes make all insects shallow,’ rings true, given the lack of talent in the field,” he told TechNewsWorld.
Parkin agreed. “With the sheer complexity of modern code and the myriad of interactions between applications, it’s vital to have more responsible eyes looking for faults,” he said.
“Threat actors are always working to find new vulnerabilities they can exploit, and the threat landscape in cybersecurity has only gotten more hostile,” he continued. “Increasing bug bounties is a way for organizations to get some independent researchers on their side in the game. It’s a natural reaction to an increase in sophisticated attacks.”
Bad actor rewards program
While bug bounty programs have gained wider acceptance among businesses, they can still create friction within organizations.
“Researchers often complain that even when companies have a coordinated bug bounty or disclosure program, there is too much resistance or friction. They often feel slighted or rejected,” said Archie Agarwal, founder and CEO of threat modeleran automated threat modeling provider in Jersey City, NJ
“Organizations, for their part, are often stuck when presented with a disclosure because the investigator found a fatal design flaw that will require months of concerted effort to mitigate,” he told TechNewsWorld. “Perhaps some prefer those flaws to remain buried out of sight.”
“The effort and expense of correcting design flaws once a system is implemented is a critical challenge,” he continued. “The ultimate way to avoid this is to model threat systems as they are built and their design evolves. This equips organizations with the ability to proactively plan for and deal with these failures in their potential form.”
Probably one of the best testaments to the effectiveness of bug bounty programs is that malicious actors have begun to adopt the practice. The LockBit ransomware gang offers payments to people who discover vulnerabilities in its leak website and code.
“This development is novel, however I doubt they will get many takers,” predicted John Bambenek, lead threat hunter at Netenrichan IT and digital security operations company based in San Jose, California.
“I know that if I find a vulnerability, I will use it to jail them,” he told TechNewsWorld. “If a criminal finds one, it will be to steal from them because there is no honor among ransomware operators.”
“Ethical hacking programs have been hugely successful. It’s not surprising to see ransomware groups refining their methods and services in the face of such competition,” added Casey Bisson, head of product and developer relations at BluBracketa cybersecurity services company in Menlo Park, California.
He warned that attackers are increasingly discovering that they can buy access to the companies and systems they want to attack.
“This should make every company look at their internal supply chain security, including who and what has access to their code and any secrets it contains,” he told TechNewsWorld. “Unethical bounty programs like this one turn passwords and code keys into gold for everyone who has access to their code.”