If you’re not at the table, you’re on the menu: the case for bug bounties

If you’re not at the table, you’re on the menu: the case for bug bounties

As fear around cyberattacks grows, so-called ‘bug bounties’ offer firms an opportunity to buy information on security vulnerabilities in their systems before they become public or fall into the hands of bad actors. In future, these transactions will be moderated by trusted intermediaries; until then, firms should carefully weigh up their pros and cons.

Alex Davies ([email protected])

Bug Bounties

Cash for answers

From the world’s exchanges to your bank account, the globe’s ever-spreading webs of code place our data security in growing jeopardy. Attempting to head off cyberattacks, corporations of all stripes are rewarding those who find vulnerabilities in their software. But what are ‘bug bounties’?

Bug bounties are schemes set up with the purpose of exchanging money – the ‘bounty’ – for information on unknown software security bugs known as ‘zero-days’. Developers that purchase this information can patch and secure their systems before the weakness becomes public. Two important characteristics differentiate bug bounties from other security practices:

  • No existing contract. Unlike ‘red-teaming’, whereby individuals or teams are paid a flat fee to search for security vulnerabilities, organizations offering bug bounties do not have standing agreements to purchase the findings. Rather, the discoverer approaches the organization with proof of the vulnerability, after which the two parties negotiate a price.
  • Competing with bad actors. A seller in possession of a zero-day is free to use that information as they please. They may exploit it in their own operations or offer it to third parties (including nation-state governments and even organized crime syndicates).

Why pay?

Readers tasked with fighting financial crime may shudder at the idea of passing money under a door in cyberspace in the hope of buying protection. So why pay?

For the simple reason that refusing to participate in bug bounties may see bad actors approach researchers to purchase the exploits, keeping them from the firm that could fix the vulnerability. In 2016, Citizen Lab at the Munk School of Global Affairs & Public Policy in Toronto highlighted a possible deployment by the UAE of an iOS zero-day to tap and track the phone of a notable human rights activist. Though Apple itself wasn’t the target, the breach had implications for the firm’s security guarantees.

But why not just spend on internal security measures? Because ‘marking your own homework’ has limited security benefits. Internal security teams find it difficult to adopt the necessary adversarial stance to properly test their firm’s security. All software has vulnerabilities; all organizations have staff with incentives to hide them. Bug bounties offer one method of mitigating a level of cyber risk that may otherwise go unnoticed or ignored.

Bountiful bugs

Possessing information on a security vulnerability is not illegal. Neither is selling that information to a third party. However, many consider it immoral to sell this information to a group that plans to use it to attack a network, as that attack would be illegal in most jurisdictions. In spite of this, a ‘grey market’ has grown as software developers pursue greater security through bug bounties. Further, software users are beginning to engage with the process as the threat posed by insecure software sharpens.

This ‘market’ comprises four broad channels for obtaining vulnerability information (see Table 1).

Table 1: Buying bug bounties: channels through which vulnerability information can be bought and sold

Vulnerability purchase channels

Source: Chartis Research

At the table, or on the menu

Bug bounties have tended to concern users of accessible codebases produced by established technology companies like Microsoft (Windows) and Apple (iOS). But as financial institutions (FIs) and vendors write more software, they will introduce more vulnerabilities. For both groups it’s important to weigh the pros and cons of purchasing information on zero-days in their systems. Identifying a hole in your internet banking portal before attackers tear through could prevent millions of dollars in remediation costs, lost revenue, and regulator-imposed fines. The same is true for vendors that supply the systems that modern FIs rely on, from payments processors to core banking providers. Importantly, firms should quantify the risk of a hypothetical exploit in order to set its appropriate bounty. Doing so will allow FIs to stress test their systems and identify those systems most in need of additional security research.

In conjunction, regulators and other governmental bodies should sponsor bounties. The European Union has begun offering payments for zero-days in software used by its organizations, via its Free and Open Source Software Audit program. FIs form critical national and global infrastructure. Vendor-supplied systems underpinning their operations are similarly crucial, particularly in those sectors where only a few vendors dominate. Regulators must recognize the concentration of cyber risk created by the widespread adoption of common software and support corporations’ drive for better cybersecurity.


Further reading

“Cyber Risk Quantification Solutions, 2019: Market and Vendor Landscape”

“Push harder on cyber intel sharing, Apac regulators told” (Risk.net, May 2019)

“FCA survey reveals significant increase in tech failures” (Risk.net, November 2018)