They are a nightmare to businesses, steal identities, paralyse organisations and break into cryptocurrency centres. Two-thirds of companies worldwide are reported to have suffered a cyberattack in 2020, which represents a loss of more than USD$1 trillon; approximately 1% of global GDP 1.
To combat security vulnerabilities, companies are increasingly turning to so-called bug bounty programs. The premise is simple: companies allow hackers to explore their programs, websites or apps, in the search of to security weaknesses that they report. Whilst there are many advantages for companies in doing so, the primary benefit is financial. Unlike traditional cybersecurity auditing, which is expensive and must be carried out often, in a bug bounty the company only pays up if a new weakness is detected.
A popular phenomenon
Platforms connecting companies and ethical hackers first cropped up at the end of 2013 and since then the market has seen rapid expansion. For instance, HackerOne, the market leader, has registered more than 7,000 companies using its services. This represents more than USD$100 million in bounties between 2013 and May 2020, and an average annual growth of 86% of the total amount of compensation delivered by the companies.
In the beginning, the use of bug bounty programs was limited to web and tech industries (Netscape, Mozilla, Google, Facebook, Microsoft), as well as companies specialised in cybersecurity. However, bug bounty programs are now used by both the private sector (United Airlines, BNP Paribas) and the public sector (the European Commission, AntiCovid app), in companies outside the Web industry (Starbucks, Hyatt, General Motors) or others more reluctant to share confidential information (defence, military). Development in bug bounty platforms shows that they have now become essential and widely used by all organisations.
An alternative to the black market?
At first, one might think that this type of platform could divert hackers from illegal trade on the dark web. For a hacker, there might be no point in selling a security breach on the dark web when it is possible to get a bounty by reporting the vulnerability directly – and legally – to the company in question.
However, things are more complex in reality. Bug bounty programs and the dark web continue to co-exist. The motivations and activities of hackers in bug bounty programs and the dark web seem relatively different. On the dark web, the objective is not to find a security flaw and correct it. Rather the goal is to design a tool capable of exploiting the flaw in order to carry out malicious attacks, such as inserting malware or spyware to steal confidential data. On the contrary, for “ethical” hackers (or “white-hats”) bug bounty programs are an opportunity to perform good deeds for society, whilst honing their skills towards becoming security experts 2.
A wide range of programs and tasks
Managing a bug bounty program might seem relatively standardised. However, searching for bugs can actually cover various tasks and activities. In some cases, the search for security flaws can be similar to mindless work 3, it involves a low level of expertise and a rather routine activity. On other occasions, the work offers more freedom, and requires more advanced skills, especially when the objective is to browse operating systems in search of “zero-day” vulnerabilities 4.
This is the case for the famous computer hacking contest Pwn2Own, which mainly targets web browsers, virtual machines or connected cars. Hackers are invited to take control of a system by combining several attacks. The difficulty of the task is highlighted by the prize. The more an unknown vulnerability is critical, complex and well-documented with recommendations to resolve it, the bigger the compensation. Google thus offers a USD$100,000 reward to the person who can demonstrate a live security breach in Chrome’s “sandbox” 5.
A platform, school and recruitment agency
For young hackers interested in cybersecurity, bug bounty programs are also an excellent way of learning on-the-job. The platform allows them to work on real websites and applications, in a legal manner. Both the hacker community and the platform itself play an important part in the dissemination and exchange of knowledge. The platform publishes “exemplary” reports, organises meetings between hackers, or offers online training courses to promote exchanges and learning.
The platform also acts as a showcase for hackers who can demonstrate their talents, receive recognition and so build up a “CV” for companies. Every hacker has a profile, visible to all, showing the statistics of his/her past experiences and performance level. Different incentives to encourage competition are implemented, such as award ceremonies, badges, or rankings of the best hackers 6. It is not surprising that these platforms are also used by companies to recruit competent individuals in cybersecurity, as they are often confronted with the problem of shortages on the market 7.
For companies, in the long run, bug bounties can bring even more significant benefits than the simple outsourcing of cybersecurity work. The diversity of backgrounds and their external perspective are a considerable added value. However, the company must be able to quickly assimilate the acquired information to correct the vulnerabilities and take this opportunity to develop the skills of their internal teams to avoid relying solely on the technical expertise of a handful of people outside the company.
Furthermore, one of the challenges is to find a common language between the company and the particular culture of hackers so that their cooperation can be as productive as possible.
Modern-day pirates or cyber-experts of tomorrow?
Bug bounty programs are both digital tools and the fertile ground for a new form of hacking. They participate in the development of future cyber-experts. Nevertheless, the development of this phenomenon raises a great deal of organisational challenges for companies since they are not used to working with “the crowd” yet, especially on such sensitive issues as security. These platforms offer important learning opportunities for hackers but also for companies. Firms can capitalise on these exchanges to transfer knowledge and skills in the field of cybersecurity.