Bug bounty programs in 2021: High payouts, higher stakes
Bug bounty programs today offer high monetary rewards for researchers, but they can also suffer from communication issues, delays and inaction that may portend bigger problems.
With massive reward payouts that can reach seven figures, the bug bounty landscape has come a long way. However, organizations are still discovering that money isn't necessarily the only key to a successful program.
Various bug bounty programs have been criticized over the years -- and especially in recent months -- for issues ranging from allegedly underpaying researchers to not properly acknowledging those who submit bugs. Out of this frustration, researchers have publicly published apparent zero days and sold their exploits to third parties such as zero-day brokers.
Programs have made great strides since the term bug bounty was coined 26 years ago at Netscape, but researcher experiences and imperfect priorities make it clear that there's still a long way to go. And with more zero-days being reported every year, the stakes are being raised.
The wide world of bug bounty programs
Bug bounty programs, which are also called vulnerability rewards programs, are dedicated programs with infrastructure built specifically to field vulnerability submissions from researchers and reward them -- typically with monetary payouts. They can be vendor-run -- Google, Microsoft and Apple all have their own -- or run by a third-party platform that works with multiple vendors and organizations as clients.
Bugcrowd and HackerOne are two of the largest examples of these types of platforms. They work with organizations as clients to help them facilitate bug bounties and provide infrastructure, acting as a middleman of sorts. Another known format can be seen with programs like Trend Micro's Zero Day Initiative (ZDI), which buys zero days from researchers before submitting them to companies directly.
HackerOne CTO Alex Rice said the most essential piece of a good bug bounty program, or any vulnerability reporting system, is safe harbor for researchers -- that those who report vulnerabilities to the appropriate party are protected, legally or otherwise. After that, transparency and speed.
"Transparency is amazing to see. The programs that have committed disclosure timelines, engage openly and talk to researchers about trade-offs and risks are very healthy," he said. "Vulnerability disclosure policies that exhibit speed speak to very mature overall security practices. Regularly resolving and intermediating vulnerabilities at a fast pace takes an incredible investment no matter what size or organization you are in. If you can exhibit that through a vulnerability disclosure program, you've probably got a very capable security program."
Bugcrowd founder and CTO Casey Ellis said one golden rule that dictates success for programs is that expectations are aligned before a report is even submitted, for the researcher as well as the program itself. In other words, what is expected of the researcher should be clear (in terms of bug severity and submission detail, for example) and what the program is willing to provide for a type of vulnerability should be clear as well.
"That's the most successful way to avoid conflicts, avoid disagreements, avoid any kind of misalignment. That's extra work because you've got to plan things out, make sure that you're setting those alignments and expectations in a way that the entire company is on board with and has agreed to all those different things," he said. "But when you get that part right, then it just becomes a matter of doing what you said you're going to do. So that, to me, is the single most consistent predictor of a successful program that actually grows over time."
Offering researchers significant compensation may seem like another obvious piece to the bug bounty program, but researcher relations can be equally important.
Katie Moussouris, a vulnerability research pioneer and founder and CEO of Luta Security, told SearchSecurity that Apple paid high bounties -- the most severe bugs can reach $1 million -- but did not focus enough on researcher outreach, which she called "the human element."
Keeping researchers happy is important because there are zero days to go around. Dustin Childs, communications manager at ZDI, said Trend Micro is detecting more zero days in the wild this year than previous years, but that could be because researchers are getting better at finding them.
No matter the reason for more zero-days, the rise in large-scale ransomware and cyberattacks on critical infrastructure means that the stakes have never been higher for which entity ultimately receives a zero day. And when researchers aren't happy, there can be consequences.
Trials, tribulations and competing with the black market
As more programs have come onto the scene and the space has matured, criticisms have been leveled against various vendors and platforms for a number of issues.
For example, bug bounty researchers have expressed frustrations with the Apple Security Bounty program, with claims of inconsistent communication and certain vulnerabilities not being credited to researchers. These criticisms are not unique to Apple; other major programs have been criticized for those issues in addition to others, such as paying less for vulnerabilities than the researcher feels may be appropriate.
John JacksonFounder, Sakura Samurai
John Jackson, a researcher as well as founder of the Sakura Samurai hacking group, said "programs getting away with underpaying or lowering the severity of bugs has made it worse for the general community of bug hunters overall."
What happens when these frustrations boil over can vary depending on the researcher. Some with larger audiences have publicly put programs on blast, like when Jackson discussed his experience working with HackerOne and Ford in an Oct. 1 Twitter thread. Some have publicly published apparent zero-days. Others will sell outside of conventional vendor and bug bounty programs to zero-day brokers like Zerodium.
Zero-day brokers buy exploits from researchers and sell to other parties. They are typically considered part of the "grey market," as the ultimate customer of a researcher's exploit after the broker buys it could be a spyware vendor like NSO Group or a nation-state government. On the black market side, threat actors like ransomware groups are known to buy exploits on dark web hacking forums.
Grey and black markets often buy zero days for significantly more money than vendor or platform-led programs but require more complete, detailed exploits than their more official counterparts.
Rice said that while programs don't match brokers on a dollar-for-dollar basis, it's up to the programs to create a positive enough experience to balance that difference.
To that end, Childs said Pwn2Own, a popular hacking competition sponsored by ZDI, is held three times a year. Researchers are given cash prizes above typical ZDI levels for exploits. One benefit to a contest like this, Childs said, is that researchers are given more competitive bounties, though the standards for submissions are higher.
Still, researcher frustration with how vendors or third-party platforms conduct bounties or vulnerability disclosure programs is all too common. Jackson said that one way to improve the landscape for researchers would be to implement a neutral third-party regulator to better ensure fair communication between hackers and program holders.
"Hackers don't have the ability to fight back against a platform without being banned, silenced or shunned. The bug bounty platforms can't possibly represent a hacker's best interests because the clients that a platform manages pay them money," he said. "Therefore, if a client doesn't want to do something and threatens to leave, the platform will hold the client's intended resolution process above the researcher's."
The current bug bounty landscape
Ellis said the bug bounty landscape continues to evolve and accelerate, in part due to the pandemic and the changes brought about from more people working from home.
Google Android security director Scott Roberts also noted a rise in submissions during the pandemic.
"Starting with the COVID lockdown, we saw a pretty sizable increase in the number and quality of researcher submissions," he said. "I think it's fair to say that many of our researchers had more available time on their hands from home to work on these issues. And we found that directly translate in a significant increase in security rewards in 2020, versus what we saw in 2019. And that has continued to increase in 2021 as well, though we have not announced any of our results. But in 2020, we published a record 1.7 million rewards in the Android security reward program itself, and we are on track to really exceed that."
HackerOne's Rice said he feels positive about how far bug bounties have come but is "a bit taken aback" by how far infosec overall still needs to go. He said vulnerability disclosures need more encompassing safe harbor because the Computer Fraud and Abuse Act "still isn't clear on what counts as criminal activity."
He said there's also room to go in terms of transparency and disclosure.
"We have more vulnerability disclosure at this point in time than there ever has been, and it's still just a drop in the bucket in the overall information that we can share with each other," he said. "We regularly survey the top enterprises on the internet to assess who has a vulnerability disclosure policy and who doesn't. The last time we ran this, it's still four out of five enterprises in the Fortune 2000 that have no vulnerability disclosure policy. [There is] no way to contact them if you discover vulnerabilities. That's not acceptable, because the vast majority of them have my data, whether I explicitly gave it to them or not; it's just not an OK place to be."
Different programs and different vendors have different disclosure policies. Many programs credit researchers and coordinate disclosure after a set period of time, but some others can have nondisclosure agreements and lack transparent disclosure policies.
While bug bounties were controversial when ZDI was founded in 2005, Childs said they're "very normalized" today. However, he said he's seeing growing pains among some organizations whose programs are less mature.
"I think a lot of organizations stand up a bug bounty program before they're actually ready to start receiving bugs," Childs said. "What they first need to do is establish a robust response process, because when you offer people cash for bugs, you're going to get bugs. And I don't think they always understand that. I don't think they understand the inventiveness and the intellect of the independent security research community."
Childs said some newer programs will buy bugs and not have a sophisticated process for actually fixing said bugs.
"They're kind of like, 'We bought the bugs, we don't have to fix them.' No, you actually kind of do have to fix that. You do have to have a response, you do have to have a communications plan," he said. "So I think that although the bug bounty marketplace is very mature these days, a lot of the people who are offering bug bounties are in an immature phase right now, and are learning a lot of these hard lessons that others, who have been running bug bounty programs for years, learned a long time ago."
Similarly, Jackson said some companies try to launch a program before their own security posture is in order.
"Generally speaking, the landscape is oversaturated with organizations that think they need a bug bounty program but don't even have basic security practice implemented," he said." I've found that there are many organizations who get bumped into this position but don't know all of the intricacies of managing programs and communicating with hackers."
Moussouris said the bug bounty landscape has been heavily commercialized by bug bounty platforms, and that some have "lost the plot" by making cash prizes the most important part of the program rather than the aforementioned "human element."
She added that the evidence for this can be seen in the fact that researchers are publishing zero- days that could have potentially been sold to other buyers.
"It's not the money," Moussouris said.
Alexander Culafi is a writer, journalist and podcaster based in Boston.