The Bug Bounty Hunter and The New Zero-Day Exploit Economy

History

Bugs, also referred to as vulnerabilities in software, are flaws that can be abused to cause unintended behaviors in the system or software that result in the disclosure of sensitive information, negatively impact availability, or provide unauthorized access. These bugs are what malicious hackers use to create exploits around thIn this article I demystify the new economy of crowd sourced bug bounty programs, such as HackerOne, Synack, and Bugcrowd and the evolution of vulnerability research from the old Bugtraq days to for-profit research.at enable them to successfully achieve their after-action goals in a long kill chain of steps. Thus, the lifecycle can be described as first starting with the discovery of a bug in a software or application by vulnerability researchers or malicious hackers, exploit creation for those discovered bugs, and if found by a malicious hacker, then result in exploitation of the bug actively in the "wild" until the manufacturer or developer creates a fix or patch that renders the exploit ineffective.

I remember as if it were yesterday as I recall seeing the announcement of a new mailing list called Bugtraq in November of 1993 by Scott Chasin that would provide an unmoderated, open forum for security researchers and security practitioners around the world to collaborate over the discovery of new vulnerabilities and how to fix them. I first began getting involved in vulnerability research in my freshman year of high school in 1994, just a year after the mailing list was created. Bugtraq would soon become part of the SecurityFocus.com brand, a central nerve center prior to its acquisition by Symantec for all things in cybersecurity research and news.

I along with our other researchers even published several vulnerabilities on Bugtraq under the old vulnerability research team I created called Fate Research Labs and had the privilege of publishing the first vulnerability on Bugtraq affecting Virtual Private Network appliances under my old moniker Loki.

The open disclosure community was historically very much self governed and for a long time was the subject of much debate. Each researcher or "team" had its own set of guiding principles, rules and timelines for the process of vendor notification to public disclosure.

SecurityFocus attempted to create a set of community developed rules or bylaws (referred to as its disclosure policy) that were largely adhered to and most adopted. For the most part,

Vendors were given proper notice prior to the advisory being published on Bugtraq along with a deadline for a patch to be released before the researcher(s) went public with the finding. Historically, vulnerability research didn't result in any profit for the researchers -- most just seeking notoriety.

Bruce Schneier, famous for his symmetric-key block cipher, Blowfish, once weighed in on the debate saying that full disclosure was a "damned good idea." Schneier believed that public scrutiny was the only reliable way to improve security, while secrecy only made things less secure.

Fast forward twenty-five years and you have what is quickly becoming a new economy and career path as researchers who once chased notoriety and recognition give way to a new generation of bug bounty hunters seeking to earn millions of dollars as a result of their findings.

Bug Bounty Programs

There exists different types of bug bounty programs, ones run by the vendors themselves in an effort to control the vulnerability disclosure and patch development and release process and those run by third-party, for-profit companies that fall within the crowdsourced bug bounty space. These companies such as HackerOne, Bugcrowd, and Synack which high profile organizations, including the U.S. Department of Defense have jumped onto in its recent "Hack the Pentagon" bug bounty program that it has now opened up to include its weapon systems, help facilitate the creation, management, and disclosure of vulnerability bounty programs for companies and vendors. Think of these companies as the proxy or mediator between the researchers and the target under research. In April of this year, UAE-based Crowdfense caused a stir when it announced a record $3 Million payout for bug bounties under the banner of what it called its $10 Million bug bounty program for bounties on Android, iOS, Windows, and Mac. However, the announcement turned polarized when the company announced it would not be disclosing the vulnerabilities to the manufacturers, rather, selling them to government agencies instead.

The vendor-run bug bounty programs are paying top dollar, with Microsoft paying $15,000 for critical bugs with a cap of $250,000 to now even HP who recently announced payouts up to $10,000 for vulnerabilities discovered in its printer line. HP selected Bugcrowd as its platform partner as a crowdsourced approach to the vulnerability management process.

The income received by researchers is certainly no small change. Jobert Abma, co-founder of HackerOne for example, has earned $80,000 in eight months on bug bounties and payouts to other researchers who individually earn $200,000 a year at HackerOne. SynAck for example, recently announced at the Money 20/20 conference I was at in Las Vegas that it had reached a $1 Million pay-out to one of its own bounty hunters. The potential income that bounty hunters are earning is accelerating at a staggering rate. HackerOne announced it had paid out $7 Million in bounties in April of 2016 alone.

The New Debate

So the vulnerability research mailing lists of the 1990s have all but disappeared and given way to a new for-profit system to encourage more researchers and the responsible disclosure of discovered vulnerabilities. The once nascent bug bounty industry is continuing to grow at a rapid pace with growth largely fueled by a surge of venture capital being poured into the industry titans in the tens of millions of dollars as all three major bug bounty services, Bugcrowd, HackerOne, and Syanack compete for their share of the market.

But have these crowd sourced bug bounty companies made the black market of zero-day exploits now irrelevant? Are so-called "blackhats" or malicious hackers who are identifying zero-day bugs willing to sell their latest wares to the legitimate services of Bugcrowd, HackerOne, or Synack as an alternative to the money they can make on the black market?

Only time will tell.

In the meantime, I am currently researching this new market and will be producing an industry report on it with each service profiled separately in reports released later this year at Aite Group.

About Alissa Knight I am a senior analyst with Aite Group where I perform focused research into cybersecurity issues impacting the financial services, healthcare, and fintech industries through the assessment of sector trends, creation of segment taxonomies, market sizing, preparation of forecasts, and developing industry models. I provide these industries a combination of syndicated and bespoke market research, competitive intelligence, and consulting services in the cybersecurity market through unbiased, objective and accurate research and content development. Out of my research into the contemporary cybersecurity issues affecting these industries today, I produce research reports and white papers, as well as provide advisory services that include inquiries, briefings, consulting projects, and presentations on study findings as well as bespoke speaking engagements where I often keynote at cybersecurity conferences, seminars, and roundtables annually.