Bug Bounties Help Detect Cybersecurity Flaws

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Joyce E. Cutler

April 13 — Bug bounties bring critical information to Web operators from cybersecurity researchers and hackers who receive a cash award—and often bragging rights—in exchange for information on software vulnerabilities that reduce risk for both the company and consumers, companies and security researchers told Bloomberg BNA.

The Pentagon and companies such as Facebook Inc. and United Airlines Inc. routinely provide the cash rewards to security researchers and white hat hackers in an effort to strengthen the companies' websites and provide safe access for consumers.

“Most of the time everyone has the same goals—everyone should be safe,” Ryan Kalember, cybersecurity senior vice president at Proofpoint Inc., told Bloomberg BNA. “A cybersecurity researcher that is calling you and is obviously not extorting you is someone you should be engaging with,” he said.

“When you have a more proactive program around that and do have things like bug bounties, you make it clear to the world you want to engage in researchers directly and come to you directly instead of selling directly to highest bidder,” Kalember said.

Traditional Methods Failing

Cybersecurity researchers are treated differently by different people, said Chris Valasek, security lead at Uber Technologies Inc.’s Advanced Technologies Center. “There are some people that are happy when someone reports a bug to them,” however, “there are others who are angry,” he said. “It all depends on the situation and the interaction,” he said.

Companies with bug bounties “usually play the best” with cybersecurity researchers, Valasek said. “From my perspective it isn't the money, but the ability to understand that someone is testing their product and alerting them of the issues instead of taking it as a personal attack,” he said

At last summer’s DEF CON hacking conference, Valasek and Charlie Miller, engineer at Uber, demonstrated how they remotely exploited an Internet-connected Jeep. Uber later hired the pair to work at the ride-hailing company’s partnership with Carnegie Mellon University on mapping and autonomous technology .

“The traditional methods that companies are using to identify vulnerabilities before the bad guys really hasn’t evolved in the past 15 years,” Casey Ellis, chief executive officer and founder of Bugcrowd Inc., told Bloomberg BNA. “We’re still doing the same things we were doing back then” and hoping to “get better at solving that puzzle and fix it before an adversary comes along,” he said.

“So really, the idea the whole idea of engaging the latent talent that exists in the white hat security researcher community that’s really the only viable solution,” rather than hiring and paying by the hour when the industry is already “209,000 people short for that army,” Ellis said.

Bucks for Bugs

Bugcrowd uses a crowdsourced community of cybersecurity researchers to test Web applications. Payouts range of $100-$15,000 depending on impact and severity. The average payout is $300 for a basic bug, $600 for progressing, and $1,000 for an advanced threat, Bugcrowd said.

Bugcrowd runs crowdsourced security and bounty programs for companies including Tesla Inc. and Western Union Co.

Various companies, including DropBox Inc., Etsy Inc., F-Secure, Microsoft Corp., Mozilla Corp., Pinterest Inc., Square Inc., Twitter Inc. and Yahoo Inc., offer cash rewards for exposing vulnerabilities.

For example, Google Inc. doubled its top reward to $100,000 for flaws in Chromebook. Google last year paid researchers more than $2 million, up from more than $1.5 million in 2014, Google said in a blog post.

United Airlines' bug bounty program “is truly innovative – the first of its kind in the airline industry,” Linda Jojo, executive vice president and chief information officer at United Continental Holdings Inc., told Bloomberg BNA. “It has allowed us to build relationships with researchers across six continents that continue to strengthen our security efforts,” she said.

United Airlines can “tap the enormous expertise and creativity of ‘the crowd,’ and we continue to learn a great deal from the individuals we work with,” she said. Cybersecurity researches and hackers “help us protect our customers and stay one step ahead of new cyber threats,” Jojo said.

Facebook pays based on a bug's risk, rather than its complexity or cleverness, with an average $1,780 payout last year. Facebook since 2011 has received more than 2,400 valid submissions and awarded more than $4.3 million to some 800 cybersecurity researchers around the world.

“One of the best ways we can advocate for the security researcher community is to acknowledge that the success of our bug bounty program isn't just about the individual vulnerability reports we receive,” Adam Ruddermann, technical program manager on the Facebook Bug Bounty team, said in a blog post. “It's also about building positive relationships with thousands of people whose technical and cultural experiences may differ from our own,” he said.

‘Hack the Pentagon.'

The U.S. Department of Defense April 18 will launch “Hack the Pentagon,” the government’s first bug bounty program designed through crowdsourcing to identify and resolve security vulnerabilities within their websites .

The Pentagon pilot runs April 18-May 12. HackerOne will issue qualifying bounties by June 10. Critical, mission-facing computer systems won’t be involved. Terrorists, drug traffickers and other criminals needn’t apply.

“I think the biggest thing the Pentagon is trying to figure out is are they going to catch on fire if they do this rather than efficacy” of concept, Ellis said. “This is a radical shift for these guys. They aren’t known for being super innovative and fast moving, particularly when it comes to cyber.”

To contact the reporter on this story: Joyce Cutler in San Francisco at jcutler@bna.com

To contact the editor responsible for this story: Daniel R. Stoller at dstoller@bna.com