One of the most common questions we encounter in conversations around bug bounty programs is “Why would I invite hunters to hack my assets?”, “Why should I trust hunters?”, or some variant thereof.
There are different opinions surrounding this question, but most are based on the assumption that the hunters who are part of the community are in an unknown or shadow entity of actors whose motives are opaque and possibly nefarious.
As a result, there is much trepidation surrounding the integration of the community into an organization’s security strategy.
It is good to be cautious when considering opening assets to hunters and questions of this nature are a natural part of your due diligence when considering Epic Bounties’ services.
From Epic Bounties we will answer the most frequently asked questions that CISOs often ask and share tips when considering the use of a bug bounty program for your company.
Why would I invite hunters to hack my assets?
Simply put: because the “bad guys” do it anyway. Laws aside, the bad guys are going to look for trouble with or without your permission; if there’s any doubt, just ask anyone who has worked in a Security Operations Center (SOC) or Network Operations Center (NOC): port and application scans are incessant. On a more macro level, just look at the frequency with which organizations around the world are breached in one way or another (we only hear about the most newsworthy ones). Regardless of how small a company is, someone is looking for a way in.
By engaging the hunter community to test your assets through a bug bounty program, you are effectively emulating what unethical hackers would do themselves. Instead of learning about vulnerabilities after they’ve been compromised, you can learn about (and remediate) them before the nefarious parties do. The benefits of this are twofold:
By involving the community to help identify areas of risk, you get the most accurate picture possible of your exposure both in terms of vulnerabilities and attack surface. Scanners may find some things, and pentesters may find others, but a mass participation security program (such as a bug bounty program) brings the value of both human ingenuity and automated testing at scale. That is, two active testers will typically find more problems than one, ten more than two, five hundred more than fifty, and so on… all of this is possible because each individual (out of the thousands in the community) brings a unique set of skills, perspectives, methodologies, and so on. The community at scale provides a perspective that is unmatched by any technology on the planet to give the most accurate picture of how hunters think and how they would approach their assets (often finding huge amounts of unprotected assets that clients were unaware of). Moreover, the community augments this disproportionate advantage by often leveraging their own highly effective, self-developed tools (which are not, for example, on the open market) along with their specific expertise.
By quickly identifying and remediating problems, you become a less attractive candidate for attackers. By having a more secure attack surface as a result of testing with the community, the time it takes to find a new valid problem is substantially extended for attackers, providing a much less attractive ROI for attacking your organization rather than attacking one with a less proactive security posture.
How can I trust the community? More specifically, how can I trust hunters to report vulnerabilities to the program and not sell them on the black market?
An understandable concern, to which we must respond with a couple of points.
To specifically address the notion of selling or exploiting found problems themselves, simply by having a crowdsourced security program (e.g., a bug bounty program), the relative black market value of a vulnerability against your asset decreases substantially. How so? First, this means that in a world of scarcity, with relatively few people competing to find problems in a given asset (say, a team of hunters targeting your site), a vulnerability found is likely to be known only to that group or to a very small subset of individuals who may intend to use it in a nefarious context. Any finding identified here will ostensibly be usable for a long time, and the odds of it disappearing off the map overnight are relatively low. Ultimately, if the goal is to sell vulnerabilities, the worst place to do so is a bug bounty program.
The market value of discoveries decreases and the number of discoveries available is less than that of a company that does not have a bug bounty program, leading to an equation that is far from ideal for anyone trying to make a living that way. In short: if one wants to be nefarious, there are much better ways to do it.
How can the community help if I can only leverage people who are in certain geographies or with certain levels of trust?
As mentioned above, Epic Bounties is able to find the right investigators for your company’s needs. However, we don’t recommend setting any of those requirements unless absolutely necessary. Why? Because the community is absolutely most powerful when there are no restrictions on who can participate.
We strongly encourage organizations to avoid employing artificial barriers to the type of talent that can be invited into the program. If certain specifications must be met to achieve a desired level of trust for your specific organization, we at Epic Bounties can help put that trust in place. In addition, it’s worth remembering that the vast majority of the community have day jobs as cybersecurity professionals. They are not obscure, mysterious people who have no past or forms of identification, and who only exist between certain times of the day. They are largely infosecurity professionals (current or reformed), just like the rest of us, who like to break things in their spare time, love to bust shells, get paid for it, and help make the Internet a safer place.