This week further The Vergecast Interview series, Verge Editor-in-chief Nilay Patel speaks to the founder and CEO of Luta Security Katie Moussouris.
Moussouris has a long history in computer security and works at Microsoft and the Department of Defense. They developed their first bug bounty programs to incentivize the detection and reporting of vulnerabilities and vulnerabilities in software systems.
Nilay and Katie discuss the history of the bug bounty programs, from the early iterations to the current state of affairs, from good to bad. Although Moussouris says that hiring hackers to make businesses more secure has many positive aspects, the commercialization of the practice has created blind spots and other unintended incentives.
Below is an easily edited extract from this conversation.
Nilay Patel: What are the shortcomings of a bug bounty system?
Katie Moussouris: Well, frankly, the mistake, I have to say, lies in the commercial implementation of bug bounties. So basically my company comes in and evaluates the organizational maturity like: “Are you ready for it? Can you handle the truth "
Many of the questions we ask companies are: “Yes, but we want to do this industry-best practice, known as a bug bounty. And we know you do all of these big bug bounties. So you just make us a bug bounty. "
And I think, "But you couldn't keep up with patching the systems that you know are out of date." How can you deal with this extra volume? "And they say," Oh, but we'll only hire a bug bounty service provider, and they'll take care of everything for us. " And I would like: "Wait a minute. What part of your internal patch processing did you not understand from the remaining questions?" Because they sit there and say: "We were told we could outsource this."
I see it as a failure of both sides of the market. I worked for a bug bounty company. I believed in this model as: "Hey, why don't we make it easier to connect companies to hackers and make it safer for everyone? And eventually companies and governments become safer, and ultimately the hackers don't just stay out of jail and earn a living, but also get bigger. "Because ideally, you don’t want to see deep-hanging fruit all over the world. They want people to actually fix these mistakes themselves and ideally prevent them. But even if they accidentally coded some low-hanging fruit bugs to be able to recognize them themselves. Don't rely on third-party Randos online to tell you about this low-hanging fruit.
Where I've seen this fail is that commercial bug bounty platforms, basically their business model, keep you bad at security, so there's a lot of low-hanging fruit and the relatively low-skilled workforce, the bug bounty platforms hanging around on the platform – with very few exceptions there are highly qualified people on these bug-many platforms. But I think I've read the latest report from one of the leading bug bounty platforms. Out of 600,000 registered users, 146 have never earned more than $ 100,000 on the platform in their entire lives. You know, a professional penetration tester, even 15 years ago, when I did that, the starting salary was over $ 100,000.
So we don't see a good development of security status as a result of these programs. We also see no good development in the health of the cybersecurity workforce. We see a huge floor of the pyramid, a kind of people who are able to run free or almost free scanning tools and give you the low hanging fruit reports. And they make up the majority of bug bounty hunters. And that tiny top of the pyramid of highly skilled workers – that's literally less than 200 people – is at the top. This is despite the fact that these companies have existed for eight years.
It's so funny that you're describing a hacking cyber security business model that looks very similar to a user-generated business model for content platforms. You could have just described YouTube or Instagram or any of these other platforms that promise access to a lot of people but only reward a tiny fraction of the people. Is that an exact analogy?
Absolutely. I mean, the rules of the bug bounty are just the first to report that a unique bug is being paid for. So think of all the low-hanging fruits. You could spray and scan your scan tools, but to make money from something that was very easy to find, you just have to be the first. So there is a lot of unpaid work going into these platforms.
And then let's say, even if you work at a higher technical level and find more esoteric errors, we hear complaints from companies on the left and right that say, “Oh, we already knew about this error, so we won't pay you . It is already being repaired. "So there are a number of things where people don't get what they signed up for. I see it as another failed implementation of the gig economy market.
We all had high hopes that the gig economy would help many people. And it certainly hasn't turned out to be great for the work side. But in the case of Bug Bounty, it is not great for either the buyer side or the settings page. You don't have access to huge new workers. This tiny number of people who are fairly highly skilled and earn good money on these platforms may not want to give up their lifestyle. Some of them have chosen to work internally in companies, but they also keep their moonlight lighting skills and everything. So we don't see the entire gig economy as expressed in bug bounty platforms that work for both sides of the equation.
So that this analogy may go beyond its breaking point when we criticized YouTube or Instagram, it works great for YouTube and Instagram. They have no incentives to fix this because they are reaping all the rewards. I would imagine that at least more money flows through the bug bounty ecosystem and there is a real risk that "Hey, there are vulnerabilities in our software". So there seems to be an incentive to change it, to change this model. What changes have you seen, or is there simply no such incentive?
After leaving one of the bug bounty companies, I stayed as a consultant for almost a year, working with them on various mutual clients. I have had customer overlaps with many if not all major US bounty companies. And what I keep seeing in their business model is that I want to help organizations become more mature. So less low hanging fruit bugs, more esoteric bugs. But all of their business models depend on always having dudes with low-hanging fruits in the water.
So you don't want the process delays [when] my company normally occurs and says, "Are you ready for it? Did you invest internally to find the bugs yourself? Did you know that it is up to 45 times cheaper to do so Do you actually identify vulnerabilities in the design phase? "And that ultimately leads to a delay in the introduction of bug bounty. This isn't for everyone, and certainly not appropriate if you can't even fix the bugs you already know.
So I think the inherent conflict that arises in the different business models – bug bounty compared to the advisory services that my company offers – is that bug bounties can help with a tiny fraction of what you already do for vulnerability management must, but it is positioned as the simple button for it. We see that many companies are getting to grips with the fact that they still have violations, even if they have a bug reward or cannot reward everything.
There is an airline that has had a bug bounty for just over four years. This is United Airlines. Is it on the plane? No, it's on the websites. It is against the website. So how are we safer in the sky? Well, we are not. But it looks like you're exercising care in vulnerability management. I think commercial platforms to activate bug bounty have put pressure on here, such as, "Look, you know, you just look very busy." Yes, you play Whack-a-Bug and everything and that is super inefficient, but you can say that you take security very seriously and fix all those low-hanging fruit bugs and so on. We won't call them that. We will only say that there are all these mistakes and that it is very valuable. And then when you get hurt. Maybe you won't get into trouble because you can say, "Well, we tried. We had a bug bounty and just nobody reported this particular problem to us."
So I don’t know. I mean, I would like to say that everything is going in the right direction, but frankly, I have seen it evolve, especially in the recent years of bug bounties commercialization.