Bug Bounty Evolution -- Not Your Grandson’s Bug Bounty
Updated: Sep 1, 2022
There’s nothing quite like being on the stage at Black Hat and on some fun policy panels at DEFCON 30. It was good to be back in Las Vegas after three years--especially given the past two years of pandemic-related isolation. After recovering from a frightening COVID case in March 2022, I was once again reminded of how fragile and short life is. We only have so many days in which to live our one precious life on Earth, which inspired me to include some existential topics in my Black Hat talk.
Bug bounties are just one example of how we’ve lost sight of some fundamental truths when it comes to work and labor rights. I know there are better cyber workforce models and ways to treat each other that also result in better security outcomes. Read on to learn some practical metrics & hybrid workforce models you can put to immediate use in strengthening your security program as a whole, as well as find out where to get help.
Enter the Parable of the Long Spoons, which I used to illustrate the world we live in, where how we treat each other is the only difference between Heaven and Hell. The premise is that the resources we all need to survive and thrive are within reach, but if we try to only feed ourselves selfishly, we end up worse off despite the abundance all around us.
Above all else, we need to use our days on Earth in a way that doesn’t just accumulate as much cash as possible at the expense and exploitation of others, but to help people in any way we can.
I used my time on stage and spent throughout the week with the community to discuss the ongoing problems I see with modern bug bounty programs, highlight the actions we can take to help address labor exploitation, inappropriate NDAs, and other cyber workforce issues, and share some exciting Luta Security announcements.
The Trouble with Bug Bounties – And Some Solutions
Bug Bounty programs as practiced commercially over the past decade have failed to deliver on some lofty potential, and we believe it’s because they’ve followed a fairly narrow Venture Capital-based forced growth model that ignores the security posture of the organization as a whole, in favor of swinging the bug bounty hammer, treating every organization like a similar kind of nail.
Bug bounties are only effective when they are part of a balanced overall cybersecurity strategy and not just “Bug Bounty Botox”. If you’re not willing to fix your internal processes to be able to handle the intake, context-aware triage, and comprehensive fixing of reported vulnerabilities—you shouldn’t have a bug bounty program. Read on for tips if you already have a bug bounty or are thinking of starting one.
1. Maturity Matters
In my talk, I observed that during the past six years, we identified three major maturity trends, thanks to our Vulnerability Coordination Maturity Model, that highlight some of the most serious issues with today’s bug bounty programs. Download the VCMM Framework for free or contact us to perform an assessment of your capabilities and build you a prioritized roadmap for sustainable VDPs and Bug Bounties. Organizations can take steps right now to get started down the path to sustainable vulnerability handling process maturity, but there are some hard truths every organization must face when launching or managing a bug bounty or vulnerability disclosure program:
Without at least basic organizational commitment and communication capabilities, bug bounties and Vulnerability Disclosure Programs (VDPs) will eventually fail.
More engineers won’t save you – developers are usually incentivized to create new features, not fix bugs.
Investors don’t really care if their billion-dollar-valuation unicorn is hackable as long as they get their exit
2. Start Recording the Right Metrics and Act on Them
Most organizations cannot count and evaluate their bugs in a meaningful way to gauge the health and Return On Investment (ROI) of their bug bounty program, let alone their overall security program.
Almost all bug bounty platform providers now include some language about preparing for a program that glibly says organizations need to be prepared to fix their bugs. None of the bug bounty platforms provide the metrics in a dashboard that organizations need to measure program stats with enough granularity to make the right security investments internally.
Bugs are a symptom of underlying security problems. Fixing those bugs is important but is ultimately just treating those symptoms if that’s all organizations focus on. Measuring pain points in people, process, and technology and correcting internal deficiencies is the cure.
A few metrics your bug bounty platform won’t give you in a dashboard, yet are vital for a successful VDP or bug bounty program, include:
Use these metrics to make smart security investments, to hold bug bounty platforms accountable for their role in the relay race of vulnerability handling processes, and to spot opportunities to train and elevate the security skills of those in your organization responsible for writing code ideally with fewer and more complex bugs over time.
3. Exploit Bugs, Not People – Hybrid Gig Economy & Contract Penetration Testing
None of us should be ok with how the current bug bounty platform business models exploit hackers. It’s the only gig economy job where you can do the work, have it validated, and still not get paid (as is the case with duplicate reports).
Also, I cannot say this enough -- the bug bounty platform providers need to stop requiring researchers to sign non-disclosure agreements (NDAs) when their pay is not guaranteed, and certainly not for Vulnerability Disclosure Programs with no bounties at all. Why would anyone ever sign an NDA for the privilege of telling an organization what’s wrong with them, especially when they may not get paid for their work? There are other ways to harness the power of an entire world of hackers without exploiting them and forcing them to sign NDAs inappropriately. With all that said, NDAs are perfectly appropriate in the case of penetration testing contracts.
We work with our customers and bug bounty hunters in a bounty-to-contract hybrid model where we:
Spot a duplicate vulnerability affecting a different endpoint coming from the same bug bounty hunter,
Recognize they may have found many affected endpoints but are trickling in the reports to attempt to get paid for each of them individually, which normally does not result in payment
Orchestrate a targeted penetration test contract that is generally fair but lower than if each bug were paid separately, yet significantly higher than $0 normally paid for duplicates.
This way, we orchestrate a non-labor-exploitative way to get the affected endpoints reported in a single spreadsheet that is more efficient for both parties and pay that hacker for their work on a pre-agreed price and schedule.
For guaranteed pay, NDAs are A-OK.
For bug bounties & VDPs, NDAs are not for me.
This way, everybody wins. In the Long Spoons Parable, everybody eats.
Luta Security Updates and Announcements
1. Hiring & Building the Next Generation of the Cybersecurity Workforce in Defensive Roles:
Luta Security is building on our existing workforce hiring and training apprenticeship model to create a government-registered cybersecurity apprenticeship program. During the White House National Cyber Workforce and Education Summit that I attended on July 19, 2022, the U.S. Departments of Labor and Commerce announced a 120-day Cybersecurity Apprenticeship Sprint to promote registered apprenticeships. We’ve taken up the challenge and have started the process.
We’ve found that organizations often lack experienced personnel to properly manage the internal vulnerability handling and resolution process. In fact, once people perform these roles for a couple of years, they are eager to move onto another job. This is why we hire for background skills and train in role-specific ways, as should any organization planning to manage their own internal VDPs and bug bounties. These VDP and Bug Bounty internal roles include what we normally hire for - apply for our open roles here and check out my labor rights philosophy.
2. Crowdsourcing Sales – Open Referral Bounty
We’ve extended our proverbial long spoons to refer our customers to the bug bounty platforms many times over the past several years, and even hired bug bounty platforms ourselves on behalf of our customers, as part of our end-to-end managed service. What we’ve never seen in over six years of running Luta Security is a single email referral or customer introduction coming from the bug bounty platform providers to us, even though our mutual customers would certainly benefit, and healthier bug bounty programs would be the result.
So, we are crowdsourcing sales referrals to the world, knowing that bug bounty hunters especially will see the benefit of having more bug bounties and VDPs fix their internal vulnerability handling processes by working with us.
Luta Security announced a Referral Bounty open to the world so eligible individuals can earn money by providing email introductions to organizations that need our help that result in specific Luta Security service contracts. There are also bonuses of up to $100,000 USD at the end of the year for the person who makes email introductions that result in the most signed 1-year managed service contracts.
Service Eligible for Referral Bounty
Referral Bounty Amount
6-Month End-to-end Managed Service
1-year End-to-end Managed Service
Long Spoons, Short Days
We only have so many days to live our one precious life on Earth. We’re busy at Luta Security reimagining the world we live in to be better for everyone, not just a few traditional beneficiaries of capitalism. From championing pay equity in our lifetime to creating more fair ways to engage with talented security workers from bug bounty hunters to Security Program Managers, we’re practicing what we have always preached in terms of only exploiting bugs, not people.
Join us as we work to make significant changes in organizations’ overall security strategies and labor practices that will have positive cybersecurity outcomes for workers, organizations, and the world we live in -- not just for ourselves during our few precious days on Earth, but also for the foreseeable future, and for all those who come after us.