What happens when bug bounties don’t work?
Microsoft recently slashed payments through its bug bounty programs — and some of the ethical hackers they’ve been paying to find vulnerabilities might not be so ethical after all. Bug bounties give researchers an incentive to report vulnerabilities directly to software vendors. That way, vendors can release patches and ensure that customer data is secure. Problem solved, right?
Wrong. Even a well-managed bug bounty program can backfire. And when it does, hackers may fight back—damaging the vendor’s reputation and leaving customers more vulnerable than ever.
The rise—and fall?—of bug bounties
“Bug bounty” is a fun way of saying, “We’ll pay you to find flaws.” These programs started back in the 1990s with the Netscape browser. Many early Netscape users were techies and fanatics about the product; bug bounties gave them a way to share their fixes and workarounds and get credit.
Today, bug bounty programs rely on ethical hackers—also known as security researchers—from outside the vendor (as opposed to pen testers, who are hired by the vendor) to report any vulnerabilities they discover through responsible disclosure—meaning they won’t go public until a patch is released.
Often, ethical hackers are credited once the patch is released, along with receiving payment.
Since the 1990s, a range of companies—big and small—have realized the value of getting smart security researchers on board through these “vulnerability rewards” programs, with rewards today ranging from hundreds to tens of thousands of dollars. Among the biggest are Google, Microsoft, Alibaba, GitHub, and Facebook.
The advantages for vendors seem clear-cut. These programs:
- Create an “aura” of the vendor’s deep commitment to security
- Boost their reputation in the security community—if the program is managed well
- Incentivize reporting to the vendor rather than selling to malicious actors
Bug bounty programs must be above board or they can fail big time. Uber discovered this in 2016, when they disguised a $100K ransom payment as a “bug bounty reward” so they wouldn’t have to face the legal consequences of a breach—a misstep that led to its former CSO’s indictment by the FTC in 2020.
Bug bounty challenges
But even if bug bounty programs are well-managed, problems can arise. Many ethical hackers become disillusioned trying to earn a salary, or are even cheated by companies claiming bugs were already reported.
Certainly, vendors must be generous or risk being mocked and scorned in their industry. In 2013, Yahoo went down in infamy by offering as a “reward” T-shirts from their own store worth $12.50, a misstep now known as “T-shirt Gate.” Yahoo learned from the mistake, and today its bug bounty program, HackerOne, is one of the most respected.
But higher payouts are a double-edged sword. As security researchers come to expect more and more compensation, recognition, and respect, they also get used to the idea that they are not operating as a public service but for profit.
For all these reasons, a bug bounty program must be implemented strategically and contribute to the company’s bottom line.
Even so, as Microsoft may soon discover, vendors can quickly lose control. Although there’s no contract or commitment on the vendor’s part to pay a certain amount, when they attempt to tweak their program, hackers may fight back—posing new challenges for cyber risk management.
Microsoft’s pay cut for bug bounty programs
As of July 2021, Microsoft’s massive bug bounty program had paid out $13.6 million to 341 researchers over the previous year. At the time, Microsoft said the average payout was over $10,000. But things changed quickly after that, and complaints began emerging via Twitter that hackers were getting short-changed.
One security researcher tweeted that Microsoft was only paying him $1,000 for a bug previously worth $10,000. Another hacker tweeted, “BE CAREFUL! Microsoft will reduce your bounty at any time!” Microsoft said his Hyper-V RCE vulnerability, officially worth $250,000, was only eligible for $5,000.
Finally, in protest, security researcher Abdelhamid Naceri gave up on Microsoft bug bounty programs altogether. He chose to release his Windows zero-day privilege escalation vulnerability proof of concept (POC) directly to the community through GitHub.
Explaining the move, Naceri said, “I really wouldn’t do that if MSFT didn’t take the decision to downgrade those bounties.” Naceri’s release of his bug to the public certainly ensured that Microsoft would sit up and pay attention. But it also gave threat actors an edge, letting them move in and exploit the vulnerability in the wild while the world waited for a patch—which is exactly what happened.
Bug bounties’ waning efficacy?
Some security experts have been warning about problems with bug bounty programs all along.
For one thing, vendors may be using them as an excuse to get lazy about product testing. Plus, the bugs ethical hackers turn up tend to be low-value, “low-hanging fruit” rather than major vulnerabilities. Finally, bugs found in production are the most expensive to fix. That’s why the entire software industry is seeing a move to shift-left security testing to earlier in the software development life cycle (SDLC); relying on ethical hackers undermines that and can actually add costs.
But a broader question is “how ethical are ethical hackers?”
Security researcher Naceri chose to release his POC free to the public to get Microsoft’s attention. But it would have been easy for him to sell it. And that’s a problem for users who trust companies’ bug bounty programs to keep them safe.
Not every so-called “ethical” hacker is immune to the promise of a big payout for their discoveries. As payouts decrease, some are certainly not going to care who pays the bounty for their next POC—the vendor or the highest bidder on the dark web. That could lead to more and more zero-day attacks.
The security community is on edge right now waiting to see which way this will go. If large vendors like Microsoft are no longer willing to underwrite their costly bug bounty programs, smaller vendors may get out of the game as well—or at least try to cut corners.
If that happens, it’s inevitable that vulnerabilities will wind up in the wrong hands, giving attackers the opportunity to breach customer data.
Staying prepared in a changing threat landscape
Weakening bug bounty programs are just one way that the security landscape is constantly changing. You need to be ready for more zero-day vulnerabilities, and Vulcan Cyber® is here to help.
As the threat landscape changes, we at Vulcan Cyber stand by our commitment to support the security community in its cyber risk management efforts. Our research team works around the clock to provide vulnerability data and intelligence to ensure you stay ahead of the game.
Vulcan Remedy Cloud offers the world’s largest free and publicly available database of vulnerabilities along with clear remediation instructions so you can find, prioritize, and fix vulnerabilities.