17 C
Tuesday, May 28, 2024

Hacker Versus Hacker

Must read

Chandni U
Chandni U
Assistant Editor

The ins and outs of in-house versus outsourced bug bounty models and the importance of a robust cybersecurity strategy.

Restaurant aggregator and food delivery company Zomato promises to pay $4000 to anyone who finds a bug in their website. The Bug Bounty program is a full-fledged business, and bug bounty hunter is a professional career choice today. From the Pentagon and Goldman Sachs to Microsoft and thousands of small businesses, these programs are popping up everywhere.

Considering just one platform, HackerOne has 800,000 hackers registered and paid  $44 million in cash rewards in 2020 alone. The numbers are overwhelming, but it’s good to know there’s a community of “friendly hackers’. 

The Start of Something Better

Several software vendors received bug reports from security researchers, aka ethical hackers, for free two decades ago. With proper day jobs, they did their research on the sidelines or were experts at security teams and indulged in pro bono work to promote their research teams. 

Soon, several high-profile bug hunters raised their voices against it. Apart from the possible monetary value of bug reports, the legal actions of being sued, threatened, or imprisoned were reasons to stop and re-consider the pro bono practice. The success of the ‘No More Free Bugs’ Movement paved the way for the rise of bug bounty programs. 

Bug bounty programs came into existence as agreements offered by certain companies to ethical hackers rewarded for reporting or finding security vulnerabilities. The goal is to fix a vulnerability before it becomes common knowledge or cybercriminals discover it. However, in recent times, companies across industries are investing in a more diverse, customizable, and inexpensive model. Apart from the popular global bug bounty programs like HackerOne, BugCrowd, Cobalt, Safehat, and Intigriti, some of the top bug bounty programs in the Middle East include Saudi Federation for Cyber Security and Programming’s (SFCSP) BugBounty and CROWDSWARM.  

Sometimes, due to the proliferation within the bug bounty market, maintaining a successful program gets complicated. Experts believe it is important to have a strong strategy before implementation.   

Bug Bounty 101

There are in-house models and outsourced models, and both possess merits and drawbacks. 

Most multinational enterprises choose an in-house program with a documented public-facing submission. On the other hand, outsourced programs are as-a-service models where companies partner with third parties. While in-house bug bounty programs can have personalized rules over alert triaging, program fine-tuning, and best practices, they require a lot of time, money, and resources. Outsourced programs are far more affordable but not under the company’s control.

Despite the choice, companies must ensure they have vulnerability management capabilities. Experts reckon companies must add a bug bounty scheme into the business strategy only when the CISO is ready to commit to a vulnerability discovery followed by its remediation. If the company consistently fails to patch known vulnerabilities, it must first focus on fixing internal security. Inviting hackers into the system without enough self-protection is unwise. It is also recommended that companies first indulge in an internal bug bounty program as a small-scale project to gauge the security management capability and understand the bug bounty requirements.  

Finally, companies must be aware of the risks of bug bounty programs. They do not stop at the inability to fix the bug. They must be mindful of their internet-facing infrastructure and product footprint. How would a vulnerability impact the business? It is also possible that some hackers make honest mistakes or act in bad faith. Having a well-researched strategy, including bounty policies, is helpful.  

With consistent technological advancements and digitization, bug bounty programs should be flexible. Experts reckon that today’s efficiency might be insufficient soon. Even a company’s internal security requirements might evolve with the launch of new products and services. Otherwise, the business can open up to new threats. 

The Recent Bounty Overflow

There have been several news reports of losses of revenue due to vulnerabilities, the launch of programs, and the bug bounty rewards. For instance, Yearn Finance launched its bug bounty program with payment offers of up to $200,000. Apart from locating vulnerabilities, Yearn Finance hopes for protection from flash loan attacks that cost them $11 million loss of revenue earlier. 

Attracting hackers to invest their time with $10,000 as a reward, Asian e-commerce giant Lazada launched its first bug bounty program with YesWeHack. On the other hand, Immunefi has already paid $3 million in bounty. Since their launch in 2020, they have protected over $25 billion worth of user funds. 

Meanwhile, a DoS vulnerability was found by ethical hacker afewgoats and disclosed through a GitLab bug bounty program run by HackerOne. Experts state that the DoS issue can be resolved by updating installations to the latest version of Gitlab. GitLab aims to become more bug-hunter-friendly they offer dual-use security research collaboration, which will be withdrawn if abused. 

The Cobra Effect

During the second half of the 19th century, there was a  growing population of venomous cobra snakes in India. To end the threat, authorities began to offer bounties to anybody who turned in a dead cobra. It was a tremendous success. 

With the growing rate of dead cobras, it was assumed that the nation would soon become cobra-free. But much to the horror of the government, it only increased. Upon investigation, it was found that hunters hungry for the easy rewards had begun to breed the snakes and kill them to keep their newly found income stable. 

The authorities shut down the bounty program. What did the hunter-breeders do with the worthless cobras? They set them free. The streets crawled with cobras, the population higher than ever before. The bottom line was that a program initiated to eliminate threats only caused a dramatic increase. Thus, the term cobra effect. 

The Responsibility of Security Leaders

Experts warn companies to be wary of the cobra effect that could seep into their bug bounty program. The hackers are offered monetary compensation and leaderboard glory, but some rogue hackers might misuse their power. 

Another reason for the rise of bug bounty programs and hunters is the software vendors. There are two ways to eliminate vulnerabilities. Investing in extensive secure-by-design development, cost testing, deep analysis, and fuzzing, or detecting faults after the code has been transferred to production. Although it is important to do both, many vendors then choose to assign the liability of identifying vulnerabilities in their products to the hunters as it is cheaper to maintain than a team of security personnel. The danger of unsolvable vulnerabilities is always looming. Experts strongly suggest vendors reconsider their strategies as it might backfire in the long run. 

Although bug bounty programs have massive advantages, it is important not to be bound by them. Offering incentives to companies that comply with security standards can be beneficial. For instance, companies with trained software developers can give legal protection to companies that can write secure code and include it in the products at the development stage. They are then protected from cybersecurity civil litigation. Companies that do not comply can be sued for a weak security system.

Troubles of an Ethical Hacker

While it is possible that some hackers could steal data or introduce a vulnerability, many ethical hackers are helplessly judged and threatened. 

Ethical or not, having the word hacker in the designation title is an entitled risk. They risk being assumed to have violated the Computer Fraud and Abuse Act (CFAA). In the US, the community heaved a sigh of relief at the recent upgrade of the definition of unauthorized access, where the act criminalizes only data access violations from prohibited files. Experts add that ethical hackers must be given whistleblower protection as some companies can threaten them with legal action for finding lethal product vulnerabilities. 

Unfortunately, many ethical hacker communities believe that several reported vulnerabilities through alternative channels get ignored or don’t get patched soon enough. A Belgian-based bug bounty platform Intigriti, revealed that 12% of their submissions failed to reach the appropriate security teams.

Yet, the fight is strong. The massive ecosystem of bug bounty hunters has created several training programs, books, conferences, and companies at their disposal. With enough incentives such as bounty rewards, friendly hacker status, or the pure joy of discovering bugs, white hat hackers continue to work towards destroying the illegal activities of black hat hackers.

More articles

Latest news