1_bug bounty
π Digital
Are we prepared for a cyberpandemic?

Ethical hackers in the service of business

Arrah-Marie Jo, Researcher at IMT Atlantique and David Massé, Researcher at the Interdisciplinary Institute of Innovation (i3-SES, UMR CNRS) and co-director of the economy-management group at Télécom Paris (IP Paris)
On March 3rd, 2021 |
4 mins reading time

Arrah-Marie Jo
Arrah-Marie Jo
Researcher at IMT Atlantique
David Massé
David Massé
Researcher at the Interdisciplinary Institute of Innovation (i3-SES, UMR CNRS) and co-director of the economy-management group at Télécom Paris (IP Paris)
Key takeaways
  • Bug bounties allow companies to let "ethical" hackers (white hats) look for vulnerabilities in their computer systems and pay them if they find any.
  • The world's largest bug bounties platform, HackerOne, is used by more than 7,000 companies, which has distributed more than $100 million in bounty between 2013 and May 2020.
  • The challenge for companies is also to recruit these hackers, to internalise the fight against cybercrime and spread these valuable skills within their teams.

They are a night­mare to busi­ness­es, steal iden­ti­ties, paral­yse organ­i­sa­tions and break into cryp­tocur­ren­cy cen­tres. Two-thirds of com­pa­nies world­wide are report­ed to have suf­fered a cyber­at­tack in 2020, which rep­re­sents a loss of more than USD$1 tril­lon; approx­i­mate­ly 1% of glob­al GDP 1.

To com­bat secu­ri­ty vul­ner­a­bil­i­ties, com­pa­nies are increas­ing­ly turn­ing to so-called bug boun­ty pro­grams. The premise is sim­ple: com­pa­nies allow hack­ers to explore their pro­grams, web­sites or apps, in the search of to secu­ri­ty weak­ness­es that they report. Whilst there are many advan­tages for com­pa­nies in doing so, the pri­ma­ry ben­e­fit is finan­cial. Unlike tra­di­tion­al cyber­se­cu­ri­ty audit­ing, which is expen­sive and must be car­ried out often, in a bug boun­ty the com­pa­ny only pays up if a new weak­ness is detected. 

A pop­u­lar phenomenon

Plat­forms con­nect­ing com­pa­nies and eth­i­cal hack­ers first cropped up at the end of 2013 and since then the mar­ket has seen rapid expan­sion. For instance, HackerOne, the mar­ket leader, has reg­is­tered more than 7,000 com­pa­nies using its ser­vices. This rep­re­sents more than USD$100 mil­lion in boun­ties between 2013 and May 2020, and an aver­age annu­al growth of 86% of the total amount of com­pen­sa­tion deliv­ered by the companies.

In the begin­ning, the use of bug boun­ty pro­grams was lim­it­ed to web and tech indus­tries (Netscape, Mozil­la, Google, Face­book, Microsoft), as well as com­pa­nies spe­cialised in cyber­se­cu­ri­ty. How­ev­er, bug boun­ty pro­grams are now used by both the pri­vate sec­tor (Unit­ed Air­lines, BNP Paribas) and the pub­lic sec­tor (the Euro­pean Com­mis­sion, Anti­Covid app), in com­pa­nies out­side the Web indus­try (Star­bucks, Hyatt, Gen­er­al Motors) or oth­ers more reluc­tant to share con­fi­den­tial infor­ma­tion (defence, mil­i­tary). Devel­op­ment in bug boun­ty plat­forms shows that they have now become essen­tial and wide­ly used by all organisations.

An alter­na­tive to the black market?

At first, one might think that this type of plat­form could divert hack­ers from ille­gal trade on the dark web. For a hack­er, there might be no point in sell­ing a secu­ri­ty breach on the dark web when it is pos­si­ble to get a boun­ty by report­ing the vul­ner­a­bil­i­ty direct­ly – and legal­ly – to the com­pa­ny in question.

How­ev­er, things are more com­plex in real­i­ty. Bug boun­ty pro­grams and the dark web con­tin­ue to co-exist. The moti­va­tions and activ­i­ties of hack­ers in bug boun­ty pro­grams and the dark web seem rel­a­tive­ly dif­fer­ent. On the dark web, the objec­tive is not to find a secu­ri­ty flaw and cor­rect it. Rather the goal is to design a tool capa­ble of exploit­ing the flaw in order to car­ry out mali­cious attacks, such as insert­ing mal­ware or spy­ware to steal con­fi­den­tial data. On the con­trary, for “eth­i­cal” hack­ers (or “white-hats”) bug boun­ty pro­grams are an oppor­tu­ni­ty to per­form good deeds for soci­ety, whilst hon­ing their skills towards becom­ing secu­ri­ty experts 2.

A wide range of pro­grams and tasks 

Man­ag­ing a bug boun­ty pro­gram might seem rel­a­tive­ly stan­dard­ised. How­ev­er, search­ing for bugs can actu­al­ly cov­er var­i­ous tasks and activ­i­ties. In some cas­es, the search for secu­ri­ty flaws can be sim­i­lar to mind­less work 3, it involves a low lev­el of exper­tise and a rather rou­tine activ­i­ty. On oth­er occa­sions, the work offers more free­dom, and requires more advanced skills, espe­cial­ly when the objec­tive is to browse oper­at­ing sys­tems in search of “zero-day” vul­ner­a­bil­i­ties 4.

This is the case for the famous com­put­er hack­ing con­test Pwn2Own, which main­ly tar­gets web browsers, vir­tu­al machines or con­nect­ed cars. Hack­ers are invit­ed to take con­trol of a sys­tem by com­bin­ing sev­er­al attacks. The dif­fi­cul­ty of the task is high­light­ed by the prize. The more an unknown vul­ner­a­bil­i­ty is crit­i­cal, com­plex and well-doc­u­ment­ed with rec­om­men­da­tions to resolve it, the big­ger the com­pen­sa­tion. Google thus offers a USD$100,000 reward to the per­son who can demon­strate a live secu­ri­ty breach in Chrome’s “sand­box” 5.

A plat­form, school and recruit­ment agency

For young hack­ers inter­est­ed in cyber­se­cu­ri­ty, bug boun­ty pro­grams are also an excel­lent way of learn­ing on-the-job. The plat­form allows them to work on real web­sites and appli­ca­tions, in a legal man­ner. Both the hack­er com­mu­ni­ty and the plat­form itself play an impor­tant part in the dis­sem­i­na­tion and exchange of knowl­edge. The plat­form pub­lish­es “exem­plary” reports, organ­is­es meet­ings between hack­ers, or offers online train­ing cours­es to pro­mote exchanges and learning.

The plat­form also acts as a show­case for hack­ers who can demon­strate their tal­ents, receive recog­ni­tion and so build up a “CV” for com­pa­nies. Every hack­er has a pro­file, vis­i­ble to all, show­ing the sta­tis­tics of his/her past expe­ri­ences and per­for­mance lev­el. Dif­fer­ent incen­tives to encour­age com­pe­ti­tion are imple­ment­ed, such as award cer­e­monies, badges, or rank­ings of the best hack­ers 6. It is not sur­pris­ing that these plat­forms are also used by com­pa­nies to recruit com­pe­tent indi­vid­u­als in cyber­se­cu­ri­ty, as they are often con­front­ed with the prob­lem of short­ages on the mar­ket 7.

For com­pa­nies, in the long run, bug boun­ties can bring even more sig­nif­i­cant ben­e­fits than the sim­ple out­sourc­ing of cyber­se­cu­ri­ty work. The diver­si­ty of back­grounds and their exter­nal per­spec­tive are a con­sid­er­able added val­ue. How­ev­er, the com­pa­ny must be able to quick­ly assim­i­late the acquired infor­ma­tion to cor­rect the vul­ner­a­bil­i­ties and take this oppor­tu­ni­ty to devel­op the skills of their inter­nal teams to avoid rely­ing sole­ly on the tech­ni­cal exper­tise of a hand­ful of peo­ple out­side the company.

Fur­ther­more, one of the chal­lenges is to find a com­mon lan­guage between the com­pa­ny and the par­tic­u­lar cul­ture of hack­ers so that their coop­er­a­tion can be as pro­duc­tive as possible. 

Mod­ern-day pirates or cyber-experts of tomorrow?

Bug boun­ty pro­grams are both dig­i­tal tools and the fer­tile ground for a new form of hack­ing. They par­tic­i­pate in the devel­op­ment of future cyber-experts. Nev­er­the­less, the devel­op­ment of this phe­nom­e­non rais­es a great deal of organ­i­sa­tion­al chal­lenges for com­pa­nies since they are not used to work­ing with “the crowd” yet, espe­cial­ly on such sen­si­tive issues as secu­ri­ty. These plat­forms offer impor­tant learn­ing oppor­tu­ni­ties for hack­ers but also for com­pa­nies. Firms can cap­i­talise on these exchanges to trans­fer knowl­edge and skills in the field of cybersecurity.

1Malekos Smith, Z., Lostri, E. & Lewis J.A. (2020) “The Hid­den Costs of Cyber­crime”, The Cen­ter for Strate­gic and Inter­na­tion­al Stud­ies (CSIS) & McAfee REPORT 2020
2Algar­ni, A., & Malaiya, Y. (2014). Soft­ware vul­ner­a­bil­i­ty mar­kets: Dis­cov­er­ers and buy­ers. Inter­na­tion­al Jour­nal of Com­put­er, Infor­ma­tion Sci­ence and Engi­neer­ing, 8(3), 71–81
3On “micro-work “, please read: Pao­la Tubaro, Anto­nio Casil­li. Micro-work, arti­fi­cial intel­li­gence and the auto­mo­tive indus­try. Jour­nal of Indus­tri­al and Busi­ness Eco­nom­ics, Springer, 2019, pp.1–13
4Zero-day vul­ner­a­bil­i­ties are secu­ri­ty holes with no known patch or pub­li­ca­tion. This means that there exists no pro­tec­tion what­so­ev­er (either tem­po­rary or defin­i­tive) against this type of unknown vul­ner­a­bil­i­ty
5A sand­box is a secu­ri­ty mech­a­nism whose aim is to run an appli­ca­tion in a closed envi­ron­ment to pro­tect the oper­at­ing sys­tem from a pos­si­ble infec­tion
6Jo, A. (2021). Hack­ers’ self-selec­tion in crowd­sourced bug boun­ty pro­grams. Revue d’É­conomie Indus­trielle, Forth­com­ing
7For fur­ther read­ing see the ENISA’s report “Cyber­se­cu­ri­ty skills devel­op­ment in the EU” Decem­ber 2019

Contributors

Arrah-Marie Jo
Arrah-Marie Jo
Researcher at IMT Atlantique

Arrah Marie Jo’s research focuses on the architecture of cybersecurity markets and the economics of information security. She is particularly interested in the interactions between the different actors involved in system security and their behaviour. Arrah-Marie holds a PhD in economics from the Institut Polytechnique de Paris (Télécom Paris) and is a researcher affiliated to the “Governance and Regulation” Chair of Université Paris Dauphine. Her 4 years of experience in IT management in firms such as Deloitte and CGI business consulting allows her to add to her academic approach to a more operational knowledge of the field.

David Massé
David Massé
Researcher at the Interdisciplinary Institute of Innovation (i3-SES, UMR CNRS) and co-director of the economy-management group at Télécom Paris (IP Paris)

David Massé holds a doctorate from École polytechnique and worked for five years as a researcher at Ubisoft's Strategic Innovation Lab. His work focuses on innovation management and in particular: the organisation of the creative industries, the impact of digital technology on innovation processes and the different business models and action logics of the collaborative economy. He is co-author of the PiCo report which analyses the social and environmental utility of collaborative digital practices, the conditions of their diffusion and the levers of action of public authorities. He has published several articles in journals such as Research Policy, the Revue française de gestion and the International Journal of Arts Management. He acts as an expert for numerous public and private bodies (National Assembly, ministries, general councils, chambers of commerce, trade unions and various companies).