We can’t fix all the new vulnerabilities, so let’s fix the system

Companies need to establish programs that work. Otherwise, they are simply asking to leak their important vulnerability information to dark places.

To cure their woes, the bug bounty industry should look no further than risk pooling. (Photo: Shutterstock)

As the political climate heats up, so does the new era for cyberwarfare. In recent history, nation states supplemented military conflict with attacks on digital infrastructure to either gather intelligence or cause outages, but now with their high impact and versatile usage, there is more reason to include cyber attacks not only before, but during and after conflicts. Actually, there is no reason to stop. In order to maximize effectiveness, cyber attackers target not only government-owned equipment, but banks, transport and infrastructure to cause damage. Securing one set of systems is already a challenge, and now we have a problem of securing an entire nation’s systems.

One place to start is to reward the good guys who find vulnerabilities and report them.

The phrase “bug bounty” has gone mainstream as Microsoft, Google, Facebook, General Motors and even Starbucks have turned to the crowd for help in fixing security problems. But for all the success that some have achieved with their bug bounty programs, others — like Apple and DJI — have run into trouble. And that’s considering companies that have introduced these programs in the first place; at most organizations, the bug bounty adoption curve is virtually non-existent.

However, the bug bounty system has problems. Organizations’ varied attempts at approaching such programs reflects their failure to not only understand hacker incentives, but collaborate on solving a shared problem. What bug bounties are missing is a way to standardize and mitigate risk. In fact, bug bounty programs have a lot to learn from an industry that exists solely to manage risk: insurance.

The bug bounty market is still relatively nascent, and it is broken. I propose a new way to look at crowdsourced security. Here’s how one of the world’s oldest industries can help.

Related: Key takeaways from Marsh’s ‘The Internet of Everything’ report

The ugly bug

Let’s first take a look at the current affairs of bug bounties. Despite their potential as marketplaces with perfectly aligned incentives (in theory), the reality is most companies struggle to formally get such programs up and running. Even with new technology making crowdsourced vulnerability reporting possible, every bug bounty program still falls under the responsibility of the individual company to establish its own rules and payout structures. From the point of view of a hacker, this means each program looks different: Disclosure stipulations and response times vary wildly, and it’s usually impossible to find the correct point of contact.

Google and Facebook are notable exceptions and should serve as the example for everyone else. Total payouts reflect their efficacy: Facebook paid out $880,000 in 2017 with a respectable average bounty of $1,900, and Google coughed up $3 million in 2016. But what about all other companies, especially those in technology? Their collective payouts are pocket change by comparison — and that’s if they offer a program at all.

At the core of the adoption issue is a lack of transparency. Most companies list a minimum payout, which is great for low-priority bugs. But most don’t declare a maximum. That’s a buzzkill for hackers, regardless of their intentions – they’re left in the dark on whether it’s worth the time and effort to report a bug if they don’t know what they will receive in return. And in the case of grey and black hats, if the bug bounty can’t guarantee a worthwhile payment upfront, hackers are sure to turn instead to the underground marketplace for their reward, racking up clean-up costs to the potential millions depending on the severity of the vulnerability. Places like Dream, Hansa and Alphabay exist on the dark web because people pay for this data and access. Zerodium built a business model of paying large bounties in bitcoin for reliable exploits. If that fails, well, money can be made by announcing the hack and shorting their stock instead.

For hackers, the economics of the typical bug bounty isnt worth the trouble. This needs to change.

Related: Insurance and corporate vigilance against cyber breaches: 5 steps to take

Borrowing from insurance

To cure their woes, the bug bounty industry should look no further than risk pooling. Best known as a common insurance practice, a risk pool combines large numbers of people to minimize the cost impact of the highest-risk individuals in the group. Health and auto insurance companies, for example, use risk pooling by insuring people who are unlikely to need protection in order to cover the cost of people who are more likely to need it. This reduces costs for both the insurance carrier and its customers.

Just like insurers and the insured, companies need to work together to mitigate risk. Here is where a joint bug bounty system comes in. Instead of a single organization paying out a bounty, companies should create a shared pool of rewards and, to ensure privacy across parties, host it on an established system like HackerOne or Bugcrowd.

With a unified bug bounty system, companies small and large can lay out a shared set of criteria on reporting practices, payout maximums and minimums and clear guidelines on what constitutes a bug. In turn, companies will have access to richer information about their peers and can ensure their payouts and pay-ins align with the industry’s “going rate” for continued engagement with the hacker community. What’s more, companies can share information about disclosures and use that insight to inform their own security operations and developers.

It’s time for bug bounty programs to get smart on incentives. Software and non-software companies alike need to incentivize hackers to do the right thing. Hackers shouldn’t think twice about reporting major issues. Companies need to establish programs that work. Otherwise, they are simply asking to leak their important vulnerability information to dark places.

Either that or we can wait for this cyber thing to blow over.

Related: ‘Petya’ will make you ‘WannaCry’ if your company’s data is compromised

Matthew Honea is the cyber director at Cyence, a product family of Guidewire, where he spends most of his time on research and development related to cybersecurity. He can be reached at mhonea@guidewire.com