When Jonathan Leitschuh found a catastrophic security vulnerability in Zoom, the popular videoconferencing platform, the company offered him money to keep quiet in the form of a bug bounty and a non-disclosure agreement (NDA) through Bugcrowd.
The security flaw affected millions of Zoom users on Mac, and Leitschuh wanted to see the issue fixed. He declined the bounty payment because of the NDA, gave Zoom an industry-standard 90-day embargo to ship a patch, and when the company failed to do so, he published his research.
Cue fireworks. Zoom got a lot of negative media attention and fixed the security flaw. Leitschuh's struggle to hold organizations accountable for their poor security posture is more common than you may think, and some security researchers feel the bug bounty platforms — HackerOne, Bugcrowd and SynAck — have become marketpaces where their silence is being bought and sold to prevent public exposure of insecure practices.
Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. In exchange for reporting a security flaw, the researcher receives payment (a bounty) as a thank you for doing the right thing. However, CSO's investigation shows that the bug bounty platforms have turned bug reporting and disclosure on its head, what multiple expert sources, including HackerOne's former chief policy officer, Katie Moussouris, call a "perversion."
Bug bounty vs. VDP
A vulnerability disclosure program (VDP) is a welcome mat for concerned citizens to report security vulnerabilities. Every organization should have a VDP. In fact, the US Federal Trade Commission (FTC) considers a VDP a best practice, and has fined companies for poor security practices, including failing to deploy a VDP as part of their security due diligence. The US Department of Homeland Security (DHS) issued a draft order in 2019 mandating all federal civilian agencies deploy a VDP.
Regulators often view deploying a VDP as minimal due diligence, but running a VDP is a pain. A VDP looks like this: Good-faith security researchers tell you your stuff is broken, give you 90 days max to fix it, and when the time is up they call their favorite journalist and publish the complete details on Twitter, plus a talk at Black Hat or DEF CON if it's a really juicy bug.
"Getting ready for a VDP is technically straightforward but politically is a harder challenge," HackerOne's co-founder and CTO Alex Rice tells CSO in defense of the practice of providing private bug bounty programs to companies that lack a VDP, citing legal, regulatory, policy and risk management concerns inside customer organizations. "Today we have people launching private bounty programs before VDPs, and that's a model that's worked well to start building that researcher relationship with a small number of hackers in a private engagement," he adds. "We could debate all day whether that’s right or not. Our conclusion is that it's right for some organizations."
The delicate balance of running a VDP and working with good-faith researchers is a win-win-win for society, for the impacted organization, and for the security researcher, but some enterprises more worried about their stock price might prefer to pay money to make that pain point go away.
Bug bounty platforms offer organizations a tempting alternative. Researchers report security flaws under NDA and are paid to keep quiet. Maybe we'll fix the issues you reported. When we get around to it.
But there are no regulatory — or even normative — requirements to deploy a bug bounty, and for many companies unprepared to process a deluge of bug reports, a bug bounty is the wrong decision.
VC-powered marketing hype
Venture capitalist-fueled dreams of building a billion-dollar unicorn cybersecurity gig economy are largely to blame for where we are now, Moussouris tells CSO.
“I want to get to 1,000,000 hackers [on our platform] … that’s really where I want us to be in the future,” HackerOne CEO Mårten Mickos told CyberScoop in July 2017. The company's February 2020 report "details the efforts and motivations of more than 600,000 individuals who represent our hacker community."
Except that 600,000 number is at least somewhat inflated. This reporter has two of those accounts, including one created, and forgotten, in 2017. Anyone can sign up for as many HackerOne or BugCrowd accounts as they like. (SynAck requires applicants to apply with a resumé before giving them access to bug bounty programs.) The real question: How many competent security researchers are finding and reporting bugs?
According to HackerOne's Rice, 9,650 HackerOne users submitted valid bug bounty vulnerability reports in 2019, with 3,150 of them sufficiently motivated and engaged to respond to the company's questionnaire.
That number of active users is far short of Mickos's lofty one million hacker goal. And as for the quality of those valid vulnerability reports…. "I've seen some quote unquote valid vulnerability reports," Laurens ("lvh") Van Houtven, principal at Latacora, a secops and cryptography expert, tells CSO. "If someone asked me 'should I put this in my appsec report?', I'd say 'you can put it in there, but I will never let you live it down.'"
Moussouris, now founder and CEO of bug bounty consultancy Luta Security, questions how much of HackerOne is real. "Their latest report shows most registered users are basically either fake or unskilled," she says. "The number of people making more than $100,000 over their entire time working on the platform is in the low hundreds. That number of relatively skilled researchers hasn't changed significantly at all, making their claim to have the largest number of hackers pretty misleading."
"These commercial bug bounty platforms ... are perverting the entire ecosystem, and I want to see this stop, even if it costs me personally," Moussouris adds. As a former HackerOne exec, she would profit handsomely from any successful HackerOne public stock offering. "I am speaking to you in the opposite direction of my own personal financial gain."
HackerOne also makes a lot of noise about its "hacker millionaires," who have made more than a cumulative million dollars each since the platform launched in 2012. What was the median income of a HackerOne bug finder in 2019? What about the average? How many vulnerability reports does the median/mean hacker submit? HackerOne declined to answer these questions.
Likewise, BugCrowd tells CSO that it has "20,000-plus active researchers on the platform with an estimate of 2 to 3 million potential whitehat hackers available around the world."
How does BugCrowd define an "active researcher"? Is that a calendar year 2019 figure, or a cumulative number since BugCrowd first launched in 2011? Where does the 2 to 3 million whitehat hackers number come from? "At this time, we do not publicly disclose those details," a BugCrowd public-relations rep tells CSO.
Covering up security issues
Silence is the commodity the market appears to be demanding, and the bug bounty platforms have pivoted to sell what willing buyers want to pay for.
"Bug bounties are best when transparent and open. The more you try to close them down and place NDAs on them, the less effective they are, the more they become about marketing rather than security," Robert Graham of Errata Security tells CSO.
Leitschuh, the Zoom bug finder, agrees. "This is part of the problem with the bug bounty platforms as they are right now. They aren't holding companies to a 90-day disclosure deadline," he says. "A lot of these programs are structured on this idea of non-disclosure. What I end up feeling like is that they are trying to buy researcher silence."
The bug bounty platforms' NDAs prohibit even mentioning the existence of a private bug bounty. Tweeting something like "Company X has a private bounty program over at BugCrowd" would be enough to get a hacker kicked off their platform.
The carrot for researcher silence is the money — bounties can range from a few hundred to tens of thousands of dollars — but the stick to enforce silence is "safe harbor," an organization’s public promise not to sue or criminally prosecute a security researcher attempting to report a bug in good faith.
The US Department of Justice (DOJ) published guidelines in 2017 on how to make a promise of safe harbor. Severe penalties for illegal hacking should not apply to a concerned citizen trying to do the right thing, they reasoned.
Read more on the next page...