The curious case of bug bounty programs

Sandesh Anand January 20, 2017 5 min

r00t_access-band

Consider this: A 20-something kid (let’s call him Skiddie) from a different part of the world is lurking around your property, looking for weaknesses that can be exploited for profit. Is the lock on the front gate too weak? How easy is it to just jump the fence and steal from your garden? Can the owners be tricked into handing over their family jewels?

Skiddie’s intent is not to exploit any of these weaknesses. Instead, he knocks on your door and tells you there are things “you should know”. He says it is pretty easy to break into your house and do harm; he can also tell you exactly how the harm could be caused. He knows how to fix the weaknesses as well.

In the world of internet security, Skiddie is often celebrated, even called a “researcher” as people like him help uncover gaping security holes in websites that would leave millions of us vulnerable  

Now you are listening. You ask him to go on. He says he is happy to give you all the information you need to secure your house, but he’s worked hard at the research and deserves a small reward. Cash would be great! Some swag (T-shirt, mugs) would do too.

You are puzzled. You didn’t ask him for his services, why would you pay him for them now? He gets mad. He mocks you for having a sham of a security system and questions your abilities as a houseowner. Skiddie goes on to tell you that he can screw you by telling the world about the weaknesses.

Depending on who you are, your next steps will fall somewhere between giving him something he wants to get all the information he has, to suing him in court.

Most of you probably sympathise with the owner and are annoyed at Skiddie. But in the world of internet security, Skiddie is often celebrated, even called a “researcher”, and for good reason. Researchers like him help uncover gaping security holes in websites that would leave millions of us vulnerable. With enough time, they are able to uncover vulnerabilities in applications developed by top-notch engineers in billion dollar companies. Case in point, Anand Prakash from Bangalore discovered a bug last year in facebook.com, using which he could hack into any Facebook account.

The rise of bug bounty programs

There is a great value in having researchers find vulnerabilities in your systems before the bad guys do. But you want to know them first, not have the experts screaming about them on blogs. So, companies eventually worked out a way to bring these researchers on their side — they do so by paying them to find “bugs” and offer a “bounty” in return.

The first bug bounty program was designed in 2004 by Netscape, a US computer services company best known for its Netscape Navigator, which incentivised users to provide feedback to the company. It took another five years for bug bounties to go mainstream and Mozilla’s (rather profitable) bug bounty program can largely be credited for this.

Now, many companies run bug bounty programs and pay researchers handsomely for the vulnerabilities they discover  

Now, many companies run bug bounty programs and pay researchers handsomely for the vulnerabilities they discover. Facebook paid researchers over USD 600,000 (INR ~4 crore) to 149 researchers globally in 2016 alone (Indian researchers received the maximum payout). From companies paying researchers and employing them in teams running bug bounty programs to startups such as BugCrowd and HackerOne that help enterprises set up such programs, there is now a small emerging economy surrounding bug bounties.

bug_bounty_hunting-inside
Bug bounty programs mitigate the risk of researchers causing harm by having strict “responsible disclosure” rules

For Indian researchers, especially, bug bounty programs are very attractive. Most companies operating such programs are from the US and make payouts in USD. Spending a few hours to find a bug can earn you hundreds of dollars (which is beer money for weeks, or at least a few weekends). For companies, it’s a great way to get some extra help — they can have talented individuals from the world over help secure their systems.

For Indian researchers, especially, bug bounty programs are very attractive as companies pay them very well. The companies, meanwhile, can have talented individuals help secure their systems  

Before bug bounty programs came into being, researchers who found vulnerabilities in organisational systems would cause harm or, at a minimum, to brag about it in blogs and chatrooms, leaving these companies open to abuse. Bug bounty programs mitigate this risk by having strict “responsible disclosure” rules. This means, the researcher cannot disclose the weaknesses to the world until the company fixes them. Breaking the rule means no payout and possible legal action. On the other hand, once the bug is fixed, researchers are allowed to talk about their exploits in blogs. This helps improve their street cred and shows the company concerned in good light as it was responsive and took action to fix the bugs.

It’s not all bountiful

For all the positives, bug bounty programs have a dark side to them. While companies that can afford such programs profit from them, there are countless others, including mom and pop stores, who have no idea how to deal with such researchers. Then there are governments, who have no coherent strategy of responding to researchers. Such an incident played in full public view when Javed Khatri, a 22-year-old researcher from Mumbai uncovered serious security issues in the Narendra Modi app.

While companies that can afford such programs profit from them, there are countless others who have no idea how to deal with such researchers  

At the other end of the spectrum, there are countless stories of disgruntled researchers demanding their “fair” share. Ugly brawls on social media are not uncommon either. There is always the threat of a lawsuit, which happens rarely (if ever). If things do go to court, “hapless individual Vs giant corporation” is a legal battle with predictable ending. The worst end for a researcher is to be branded a “black hat”, which in the information security world equates to turning rogue.

There’s obviously a lot more nuance to all sides of the bug bounty debate. However, there is no doubt that bug bounty hunters add a great element of drama to the often dreary world of cybersecurity.


               

Online security and privacy will change the way we think about our digital lives. This column attempts to showcase the nuances of those changes by exploring facets in the intersection of cyber security and everything else. Update (3.45 pm IST, January 20, 2017): We added a description of the column.