The topic of our session, stated in terms that you may have heard more frequently, was why (and how) the automotive sector (as well as other industries) is starting to offer "bug bounties" to improve its products and services. And this topic is only growing more intense as we close out 2016 – impacting more public- and private-sector organizations around the world.
One of my upcoming predictions for 2017 (yes – this is a sneak preview with more coming later this month) will be that governments and other critical infrastructure sectors will be setting up coordinated vulnerability disclosure programs and starting to offer more bug bounties. I also think bug bounties will become an important component to securing Internet of Things (IoT) devices, smart cities and much more.
Therefore, I thought it would be a good idea to dive a bit deeper into this topic and dedicate a blog on coordinated vulnerability disclosure programs. Side note: One topic discussed in the panel was whether the term "coordinated" or "responsible" should be used regarding these programs. There are different views on this and ethical considerations. Watch the video for more details on this debate.
Let’s start with the value proposition for responsible vulnerability disclosure programs. Here’s how Marten Mickos, who is the chief executive officer at HackerOne, described why this topic is so important right now:
“We support over 500 companies, 60,000 hackers around the world who are ready to hack you for your benefit. When you know your vulnerability, you can fix it. As a result, the companies (customers of ours) are the most secure in their industries. We are working with car mapping companies, General Motors and Uber. We were hand-picked to run the “Hack the Pentagon” program for the Secretary of Defense. … In just a few weeks, we had 1,400 hackers who discovered 138 severe vulnerabilities in DoD systems. They had paid previously $5 million over three years to find 10 vulnerabilities. They reached out and paid $150,000 and found 138. The first report came within 13 minutes of opening the program. That is how fast the 15-year-old kids hack.”
The entire panel session was just aired on CSPAN this past week, and the video is available for free on-demand viewing now. I embedded the video below, and I strongly urge readers to watch the entire 38-minute discussion.
I can tell you that I learned quite a bit by engaging with this expert panel (before during and after this summit session). Here are some panel highlights from the CSPAN transcript website (note capitalized text comes from CSPAN and other text is my commentary):
Casey Ellis, CEO of Bugcrowd, quotes: “THERE IS AN INCREDIBLE GROUP OF GOOD GUYS THAT … WANT TO HELP. WHAT WE ARE LOOKING AT IS TWO GROUPS OF PEOPLE WHO NEED TO HAVE A CONVERSATION BUT ARE HISTORICALLY TERRIBLE AT GETTING ALONG.”
(Responding to the question of whether $1,500 is enough motivation for hackers.) “THE INITIAL MOTIVATION, THE PRE-EMINENT ONE, HACKERS ARE GOING TO HACK.”
“IN A WEEK'S TIME, IT WOULD BE INTERESTING FOR EVERYONE TO REVISIT THE THOUGHT OF, 'HOW I AM I GOING TO GET STARTED WITH THIS?' ”
Marten Mickos quotes: “IT [getting hacked] IS ACTUALLY GOOD FOR YOU. IT IS AS GOOD AS GOING TO THE DOCTOR AND DOING CHECKUPS YOU DON'T REALLY LIKE TO DO. MUCH BETTER TO KNOW YOUR WEAKNESSES THAN NOT TO KNOW.”
“A BUG BOUNTY PROGRAM IS LIKE A NEIGHBORHOOD WATCH. YOU ARE TRAVELING AND ASK YOUR NEIGHBORS TO TAKE A LOOK AT YOUR HOUSE. NO MATTER WHAT ALARMS AND LOCKS, YOU CAN'T BE PROTECTED AGAINST EVERYTHING SO ASK THE WORLD AROUND YOU TO HELP YOU.”
(Answering question on why some companies do not participate in bug bounties) “THEY MUST NOT CARE ABOUT SECURITY.”
(On vetting hackers) “I WOULD THROW IT BACK AND SAY, 'HOW DO YOU KNOW YOUR EMPLOYEES ARE ALL GOOD ACTORS?' YOU DON'T SCORE THEM THE WAY WE DO.”
Titus Melnyk, former security lead for FCA, quotes: “IF YOU ARE GOING TO DO RESEARCH, THIS IS HOW YOU DO IT SAFELY. THIS IS HOW WE WANT TO REWARD YOU FOR THAT RESEARCH.”
(On insider versus outsider threats) “I THINK THEY ARE 50-50. THOSE INSIDE HAVE GREATER ACCESS, BUT THE INSIDER THREAT IS NOT NECESSARILY SOMEONE PURPOSELY TRYING TO DAMAGE. IT IS MORE THEY ARE CLICKING ON THAT LINK AND RESPONDING TO EMAILS THE ARE NOT SUPPOSED TO. I WISH WE COULD PATCH STUPIDITY, BUT IT HAS NOT HAPPENED YET.”
Recent Media Highlights on Coordinated Vulnerability Disclosure Programs
This topic has been getting plenty of news lately, if you know where to look. No doubt, the election, hacking, recounts and recent DDoS attacks that use IoT devices to bring down networks have been stealing the cybersecurity headlines of late. Still, check out these related stories:
- DoD Publishes Vulnerability Disclosure Policy – “On Monday, Secretary of Defense Ash Carter continued that engagement when he signed a vulnerability disclosure policy that establishes ground rules and guidance going forward for researchers who find and wish to privately disclose bugs on any DoD website.”
- (Australia) Security Vulnerability Disclosure Is Still a Minefield – “There have been many clashes between researchers and vendors, some of which have resulted in legal action against bug hunters. Today, we look at an extremely grey area in IT security: how security vulnerabilities should be disclosed.”
- (UK) Hack the Army: US military begs white hats to sweep it for bugs – “Security experts reckon the US government’s newly unveiled 'Hack the Army' bug bounty programme may usher in greater co-operation across the whole arena of security research.
Back in spring 2016, before the Automotive Cybersecurity Summit, I wrote this blog on bug bounties as an important part of our technology future solution to solve cybersecurity woes and the surge in hacking in all areas of life. Here’s an excerpt:
“Bug bounties are simply rewards for finding and reporting security flaws with a software program that permit unintended actions to happen. A more formal set of definitions surrounding bug bounty programs (sometimes called hacker bounty programs) can be found here.”
Closing Thoughts
I believe that this trend is set to take off in all parts of federal, state and local governments, as well as in global governments moving forward. Just as the DoD issued a new policy, expect the same from others in the public and private sector. Vendors who support these websites and government applications also need to adjust their approaches to include this new normal.
This quote is telling about the new policy (from the DoD article above): “For the first time, anyone who identifies a security issue on a DoD website will have clear guidance on how to disclose that vulnerability in a safe, secure, and legal way. This policy is the first of its kind for the Department,” Carter said. “It provides left and right parameters to security researchers for testing for and disclosing vulnerabilities in DoD websites, and commits the Department to working openly and in good faith with researchers.”
I expect to see most states and large cities issuing some type of policies over the next few years – and certainly before New Year’s Eve in 2020.
In the meantime, do your homework on setting up coordinated vulnerability disclosure programs.
Watching this CSPAN panel video is a good first step to learn more.