As more and more companies compete for ethical hackers’ time, the pressure is on to optimize reward-based vulnerability disclosurE, reports Bradley Barth.
As more and more companies compete for ethical hackers’ time, the pressure is on to optimize reward-based vulnerability disclosurE, reports Bradley Barth.

When Microsoft temporarily doubled its maximum bug bounty prize to $30,000 earlier this month, it was hard to not to notice the timing. After all, the software giant had just been burned twice by Google Project Zero researchers who publicly disclosed Windows vulnerabilities before they could be patched.

This was not the first time Google played hardball with software developers who failed to patch flaws within the company's strict 90-day disclosure window. So it would certainly be understandable If Microsoft's newfound generosity was intended – at least in part – to incent ethical hackers to discreetly find future Windows vulnerabilities before Project Zero and like-minded research groups can, let alone black hat actors with truly dishonorable intentions.

But Microsoft is far from the only enterprise feeling the pressure. After all, bug bounties have not only been validated as an effective cybersecurity tool, but they are outright changing the way cybersecurity is practiced, as companies are now financially competing for white-hat hackers' time and resources.

The stakes and rewards have been raised

Like Microsoft, Google also recently upped its bug bounty rewards – specifically for finding remote code execution flaws and unrestricted file system or database access issues. Josh Armour, Google's security program manager, writes in a company security blog that the increase was an acknowledgement that “high-severity vulnerabilities have become harder to identify over the years” and “researchers have needed more time to find them.”

Even Apple, after stubbornly sitting out of the bug bounty game for years, went “all in” in August 2016, announcing that that it would begin offering up to $200,000 in rewards.

“Recent trends have shown a rapid increase in bug bounty participation in the private and public sector alike," says Johnathan Hunt, vice president of information security at InVision. "As organizations continue to realize a company can be breached even with the largest of security teams and budgets, a mature program and strong security posture, they will begin looking toward more non-traditional approaches to strengthening their security practice.”

A solution provider for product design, InVision has so far awarded over $100,000 in payouts to over 500 different researchers through bug bounty company Bugcrowd, rewarding hackers for finding weaknesses in third-party plugins, integrated SaaS tools, DNS, “and even the most obscure application functionality not picked up by traditional security tools,” Hunt says.

One of the most surprising recent bug bounty developments was when the U.S. Department of Defense approved its own bug bounty program, the first in the history of the federal government. Before this, the notion of a U.S. agency openly encouraging researchers to probe its networks would have sounded absurd.

“Initiatives like 'Hack the Pentagon' will happen more and more frequently,” Belgian security researcher Inti De Ceukelaire, says. “It could be extra interesting for the government to offer payouts for vulnerabilities their political opponents could use against them.”

Another bellwether moment that augurs the near future of bug bounties was in July 2016 when FCA US, the American subsidiary of Fiat Chrysler Automobiles, became the first full-line automaker to offer financial rewards for the discovery of vehicle vulnerabilities. (Tesla notably rewards hackers for their research as well.)

Indeed, connected cars and other Internet of Things (IoT) products will likely be the catalyst for a whole new slew of entries into the bug bounty landscape, as already evidenced by such companies as Fitbit. Hunt says that bug bounty scopes, in general, “will continue to evolve beyond traditional application vulnerabilities to all areas of this global system of network connectivity we call the internet, including IoT, IIoT, M2M and more.”