For more background on this topic, I’ve introduced this coordinated vulnerability disclosure program trend in another blog last year. After events so far in 2017, I’ve become even more convinced that state and local governments need to start building bug bounty programs. Also, state and local governments can learn from federal government and private-sector experiences on this important topic.
During the first half of this year, technology media coverage of bug bounty programs has increased substantially.
Here are a few 2017 examples to consider:
— Federal Computer Week (FCW): Why bug bounties are worth the risk
— TechCrunch: Air Force launches bug bounty program
— InfoSecurity Magazine: US Bug Bounty Programs Here to Stay Under Trump Administration
— Federal News Radio: Lessons learned from DoD’s bug bounty program
An Exclusive Interview with HackerOne CEO Marten Mickos
To dig deeper on this topic, and to gain a better grasp of recent developments, I turned to a top expert on bug bounties — Marten Mickos.
I first met Marten at the Billington Global Automotive Cybersecurity Summit last summer, and I was impressed with his perspectives on the global cyberlandscape, and especially what works in addressing our growing number of cyberattacks. HackerOne was selected to run the ‘Hack the Pentagon’ program in 2016, and they also are conducting several follow-on programs with the federal government.
Marten Mickos, CEO OF HackerOne
In addition, this recent report offers metrics, charts and “white paper” details from over 800 bug bounty programs and 50,000 resolved security vulnerabilities. For example, here is an interesting chart from the report.
Now on to the interview with Marten:
Dan Lohrmann (DL) — Bug bounties have been around a while for technology companies, why are they now starting to be adopted by other industries?
Marten Mickos (MM), CEO of HackerOne — The rapid growth in bug bounty and vulnerability disclosure programs is a result of strong trends. Firstly and most importantly, every company is becoming a tech company. Nearly everything of value is stored as software and protected by software. But software is vulnerable, and cybercrime is growing at an unprecedented rate. As companies look for effective ways to become more secure, they realize that there is a veritable army of ethical hackers ready to help, if invited. Realizing that traditional security solutions are insufficient and that they can never hire enough security experts in-house, companies are turning to outside help.
Bug bounty programs is the most powerful way of finding your system vulnerabilities so that you can fix them before they are criminally exploited by malicious actors. The phenomenal results that the early pioneers of this practice — namely Microsoft, Google and Facebook — are seeing, serve as evidence for everyone else that hacker-powered security truly works. As a bonus, this model is results-based: Hackers get paid only for the vulnerabilities they find, not for the time they spend searching. This makes it a no-brainer to start with a vulnerability disclosure program and later move to a bug bounty program (typically first private and later public).
The model is so powerful that the Department of Defense launched their Hack the Pentagon program a year ago, with unparalleled results. The first report was filed within 13 minutes, and during the next few weeks, a total of 138 valid vulnerabilities were detected and reported to the DoD. They are now more secure.
DL — What industries are growing the fastest in the use of bug bounties?
MM — Bug bounties are seeing growth in nearly every industry sector. Tech companies continue to be the fastest movers. The federal government has stunned everyone by moving faster than many industries that were supposed to be more progressive. When the DoD launched Hack the Pentagon in the spring of 2016, it caught the attention of everyone.
When the outstanding results were published, it changed people’s mindset. Since then we have run Hack the Army and Hack the Air Force. We have also launched a program for GSA. FTC recommends hacker-powered security to all companies. When it comes to bug bounty programs, we should be proud of our federal agencies. Other industries that are growing fast are e-commerce, retail and gaming.
DL — Why is government lagging behind in your view?
MM — I don’t think the federal government is lagging behind. On the contrary, they have shown a remarkable readiness to adopt new security practices. Many commercial companies will first change their software life cycle model from waterfall to agile before they launch a bug bounty program. But the federal government sees hacker-powered security as so central that they are moving to that model at the same time as they are upgrading their traditional software development and deployment practices. That’s a laudable act.
Of course there are also parts of government that are not moving fast to this new model. I would think that it is because they are under budgetary and political pressure and have other challenges that take up their time and attention. With the exemplary results from Hack the Pentagon, I do however think that it is just a question of time before this will change.
DL — Aren’t there drawbacks to vulnerability disclosure programs? Are you inviting trouble to enter your network?
Marten Mickos (MM) — As with all new models, we humans will first doubt that the model will work. We doubted that electric cars would work until Tesla proved otherwise. We doubted cloud until AWS [Amazon Web Services] showed how to do it. We doubted open source software until the whole world ran on Linux.
In a similar way, hacker-powered security sounds too good to be true. The questions are numerous. How can an external person find something internal ones can’t? Will there really be enough experts on the outside? Aren’t they just useless amateurs? Will they really be ready to help us? Aren’t we just inviting trouble? What if they first behave well and then shift to the dark side? What if our competitors hear about our vulnerabilities? What if we get too many reports from the outside?
The exact answer to this is detailed and long. Every doubt has its natural response and solution. If we don’t have time to go into all those details, we can study those who already committed to this model. The first bug bounty program was run in 1983. The next one of fame (Netscape’s) came in 1995. A decade or so later, we saw big programs launched by Facebook, Microsoft and Google. These three Internet giants swear by vulnerability disclosure. Their programs keep expanding, and the software of these companies is becoming more secure. Those companies have hired some of the world’s leading security experts, yet they continue to ask the external community of hackers and security researchers for help. These programs serve as evidence of the effectiveness and functionality of this model. And we have seen a number of leading organizations follow suit: General Motors, Lufthansa, the Department of Defense, and so on.
DL — Are hackers who participate vetted or qualified or not? If yes, how?
MM — Yes they are. When a hacker signs up with HackerOne, we track their every advancement in the practice of security research. We know how skilled they are and what they have worked on. The higher in the tiers of our network they reach, the more we know about them and the more formally vetted they become. As an example, the 1,400 hackers who participated in Hack the Pentagon had all gone through a thorough vetting that included background checks. As needed in specialized private programs, hackers may go through additional qualification steps, and for some programs they sign an additional NDA.
DL — Where do you see this trend going in the next year? Are any states or local governments offering bug bounties?
MM — We are seeing a rapid expansion of hacker-powered security. It is happening in most industry verticals and all corners of society. It would not be wise to make a prediction, because we have always been taken by positive surprise when unexpected organizations come to us for help. Just as one example, we had a cemetery sign up for a bug bounty program last year. You would think that they don’t sit on much valuable or sensitive data. But when you think a second time, you realize that the PII [personally identifiable information] of deceased people may actually be the most attractive information for criminals to steal. For that reason, it makes perfect sense to ask the hacker community to help find the vulnerabilities so they can be fixed.
DL — I want to thank Marten for taking the time to answer my questions and providing a clearer view to where bug bounties are heading by 2020.
Wrap-Up
Back at the beginning of 2017, I wrote that I was surprised that we didn't see more of a spotlight in industry predictions regarding "bug bounties" or coordinated vulnerability disclosure programs — and I predicted there will be rapid growth in government and other industries in the next few years.
I believe this prediction is still accurate. I am starting to see more interest in bug bounties — even from auditors and others who are thinking about how to run penetration tests on systems and networks in new ways.
The traditional pen test relies on the expertise of a select few people. Oftentimes, these tasks are outsourced to cyberexperts anyway, and utilizing coordinated vulnerability disclosure programs will bring a greater number of global ethical hackers to the table.
Finally, I was really challenged by a point raised last July when I facilitated a panel discussion with Casey Ellis (CEO of Bugcrowd), Titus Melnyk (former security lead for FCA — Chrysler) and Marten. The reality is that bad guys are already hacking our systems and finding vulnerabilities. They do not need to be invited in to hack, because they are already hacking now. However, these "black hats" will use the vulnerabilities to do harm and cause data breaches. Don't we need more help from a coalition of the willing men and women (or ethical hackers) that have the required skills?
This is why I am convinced that offering bug bounties will become much more widespread, even in government, in the next few years — likely before 2020.