Bug Bounty Programs
In the late 90s, the world of consumer technology was in the midst of a type of golden age. Personal computers were appearing in every home, online shopping was starting to hit a viable point, and businesses had begun to rely on freshly developed software and hardware to meet demands and grow. On the flip side of all these things was a litany of new security threats, backdoors, and vulnerabilities.
For a lot of the corporate world, it was around this time that cybersecurity became an integral component of any viable, large business. For a CEO or board member, this transformation came down to the decision to hire outside professionals. However for the professional software developers, engineers, and coders who would be hired into these positions this transformation would mean countless man hours of testing and redesigning to ensure that people and businesses alike could easily use and rely on the programs and devices they pay for.
The Bug Bounty Program
As any developer will tell you, an easy and effective way to identify security flaws, errors, and otherwise unwanted elements (often referred to as "bugs"), is to allow a ton of people to interact with your product. As industry veteran Richard Garriott once commented:
"testing the [product] in-house, is an entirely inadequate test in contrast to the reality of being in the hands of users".
Richard Garriott, on testing Ultima Online (1997)
It was this logic that led Netscape to launch the first bug bounty program in 1995. Some of you will remember Netscape as the default browser from your Macintosh computer back in the day. Back then, Netscape was hoping to make the 2.0 version of its browser secure while also perhaps drumming up some publicity and so Vice President Matt Horner opened a contest to the public: cash prizes in exchange for revealing security flaws and other bugs with the soon-to-be-released browser. After the competition ran for a while, the winners of the contest were announced and that was the end of that.
The Bug Bounty Program as we know it today functions the same way; specialists and researchers scour over a program or device looking for errors or lapses in security. They then prepare professional reports for whomever is running the program.
Your Business, Your Program
It would take some time for this model to catch on with others. Over the next decade, most of the major bug bounty programs would be run by cybersecurity and defense companies as well as larger software developers like Mozilla. These however were mostly done as a cultural or community event as opposed to a career path. In the mid 2010's, larger tech companies began to employ the bug bounty program as a research tool and many kept the programs ongoing. Depending on the nature of the bounty, security specialists could find themselves earning hundreds or thousands of dollars per find.
If you're considering the use of a bug bounty program then you'll want to do a little research on the process and your options, but its generally a pretty simple venture to undertake. A program like this is a supplemental security measure that pays off in its own time (like plenty of other investments). When used in conjunction with standard security measures and practices, bounty programs add an adaptive layer of security to your business.
While UMD doesn't have its own bug bounty program, we were recently approached by a freelancing security analyst who had found a potentially serious security flaw for us. Somehow this well-meaning wanderer had discovered something in the code for our store and had been kind enough to approach us about it. Understanding the bug-hunting world, we were happy to pay him a fair bounty for his report and solution for the problem. It would have cost us far more in labor trying to manually search for this bug and correct it than it did to just cough up the bounty. This is probably the same calculation you should be making if you're approached by someone claiming to have found a problem with your service. Instead of freaking out and threatening legal action, just consider that the bounty hunter has something genuine to offer you.
For many this situation may seem strange but the truth is that plenty of your favorite devices and programs rely on this kind of interaction happening thousands to millions of times before their products finally reach the (nearly) foolproof status that consumers experience and often demand.
Underbelly of Bug Bounty Hunting
In 2011, in an unprecedented move, facebook removed the upper limit on its bug bounty program. While bug bounty hunting was already widespread and involved plenty of money, this marked a turning point in the discourse around bounty hunting. After all, we must consider that the specialists charged with finding and reporting these bugs frequently teeter on the edge legality. So while companies were upping the ante on the bugs they were asking for, they were also inviting security specialists (or hackers as they are more commonly known) to try even harder to infiltrate and break their systems. For hackers this meant bigger threats, bigger payout, but no added protections.
The Computer Fraud and Abuse Act is a 1987 law that made hacking of this nature a federal crime. The unfortunate reality is that, even from the earlier days, most bug bounty programs have intricate legal terms that generally leave bounty hunters unprotected.
The assumption has long been (and in some instances holds true) that bounty hunters enter a protected realm when they bug hunt in good faith. This however is simply not the case and bounty hunters have repeatedly found themselves staring down the barrel of a federal charge with fines in the millions of dollars and jail sentences ranging from several months to a few decades.
Take Kevin Finisterre, a cybersecurity researcher, for instance. In 2017 Kevin tried his hand at a newly opened bug bounty program being run by Da-Jiang Innovations Science and Technology Co., Ltd (Or DJI, for short); a chinese tech firm largely known for developing cutting edge drone technology. Kevin has since commented that even at the time, he felt that the legal terms and protections of the program "left much to be wanted".
As Kevin tells it, on his first day of hunting he was able to find plenty of sensitive company information, metrics, passwords, etc. all in "plain-view". All told, the bugs Mr. Finisterre found during his hunt totaled to a bounty of $30,000. While that is certainly an impressive bounty, the reason Kevin's story is told today is that he was eventually forced to turn down the money. After some heated exchanges and ignored emails, Kevin Finisterre began receiving emails from lawyers trying to discredit his findings on technicalities. When Kevin demonstrated his legal standing on the matter, he was threatened with a CFAA charge; the same draconian law that bounty hunters must always be aware of and ready to contend with.
For people running bug bounty programs today, especially from a larger corporation or business, should be aware of the kind of context the DJI case provides. When setting up terms for your own bounty program, you should ensure that reasonable protections are provided for participants. Many have spoken out and demanded qualified immunity while researching, and some programs have complied. At the end of your day, just try to be fair and maintain good faith between yourself and your researchers. Not just for moral reasons either! With so many programs to choose from today, it's important your bounty program is perceived as attractive and safe.
Bug Bounties Today
Today Bug Hunting is a full-blown industry with people ranging from hobbyists to full-time professionals. If you're looking to get into the world of bounty hunting then you'll want to take some time to learn technique but also best practices as you'll need your reports to hold up against the rest of the community. Today's programs are run pretty tightly and have much more structure than their predecessors.
Since the DJI case, there have been some attempts at reform, particularly in regard to how bounty programs operate. For the most part, though, bounty programs have gotten more sophisticated, higher-paying, and more precarious. Meanwhile, some officials have advocated for the expansion of the CFAA to designate more actions while on a computer as chargeable offenses.
Today there are bounty hunters working on every program and device you can think of; there are ongoing general bounty programs for Windows and Mac OS, and even your Xbox or PlayStation. Also, thanks to platforms like hacker.one, security researchers are able to disclose and discuss sensitive matters in a safer environment. However, participation in the system varies from program to program. An alternative platform garnering some attention is Cobalt, which allows businesses to run and manage their own bug bounty programs using the platform as an intermediary.
At UMD, we have a fondness for open source-ers, hackers, and makers. So let this post serve as a small thank you to those in the tight-knight bug bounty community who sometimes put themselves at risk so our apps can function, eventually.