Bug Bounty Programs: How ethical are they?

Bug bounty programs are an industry best practice, implemented by both public and private sector organisations across industries and regions. A large number of organisations have implemented bug bounty programs including Facebook, Google, Microsoft, and Alibaba, just to name a few.

Some governments are also using bug bounty programs to check its government systems and to protect its citizens. HackerOne, a leading hacker-powered security platform recently announced that it will partner with the Government Technology Agency of Singapore (GovTech) and the Cyber Security Agency of Singapore (CSA) to work with hackers from all over the world to further protect Singapore citizens by testing public-facing government systems. This is HackerOne’s third bug bounty initiative with the Singapore Government, following successful prior programs with GovTech and MINDEF Singapore.

The bug bounty initiative will invite a select group of proven ethical hackers to test GovTech systems in exchange for a monetary reward, or bounty, for valid reports of security weaknesses. GovTech Singapore joins government agencies like Singapore MINDEF, the U.S. Department of Defense, U.S. General Service Administration, NCSC, and the European Commission who have selected HackerOne to leverage the global hacker community to detect unknown security vulnerabilities before they can be exploited by criminals.

Laurie Mercer, Security Engineering Lead at HackerOne, in an interview with Cybersecurity Asean, explained how the program is helping governments and enterprises deal with cyber threats.

“The acceleration of preventable data breaches has led regulators in privacy-minded countries to recommend or even mandate the use of vulnerability disclosure programs (VDPs) and bug bounty programs. For example, the proposed Code of Practice for Consumer IoT products in the UK, the Department for Homeland Security in the USA, and the Monetary Authority of Singapore (MAS) are all discussing how to encourage governments and enterprises to implement and regulate such programs to enhance privacy and information security.”

Defining bug bounty programs
Laurie defined bug bounty programs as being continuous, efficient and powerful. Bug bounty programs  are able to match the speed of modern software development, where software changes can be pushed to production several times an hour, with even infrastructure defined as code. Bug bounty programs also  capitalizes on the skills of  hackers in one or a few specific domains.

“Let’s take a hacker who specialises in finding bugs in iOS mobile applications as an example. As a hacker on HackerOne, this researcher can look for vulnerabilities in the iOS applications of over 1,400 different organisations that use HackerOne to run their bug bounty programs. This maximises the value of their skills and the amount of money they can earn. In return, many organisations can benefit from the skills of this one hacker. Unlike traditional employment, inviting this hacker to find vulnerabilities in one organisation does not take them off the bench so that they are unable to work for other organisations. It is a better way of sharing unique skills between different organisations.”

Furthermore, Laurie added that  by paying for results, rather than paying for time spent, funds will not be wasted on irrelevant activities and is therefore economically efficient. Explaining how bug bounty programs are powerful, Laurie said most security teams are limited to a few people, and it is impossible to know everything, which is why organisations outsource their cybersecurity management.  

“That is why we often use external contractors. But again, the skills and knowledge of these contractors are limited, and you can probably only afford a few of them. A bug bounty program gives companies access to the world’s best talent and access to the premier league of hackers.”

Trusting ethical hackers
While Laurie explained how bug bounty programs can and are making a difference, convincing society to understand how hackers can be a benefit would still be a challenge.

“We can say that there is a trust gap between hackers and organisations. This trust gap works both ways, by the way. Many hackers are afraid that if they report a bug that they find, they will not get paid fairly for it, or even get in trouble for finding the bug. That really is why platforms like HackerOne exist. Through community engagement, a reputation system, and skills identification, HackerOne customers can trust the global hacking community. Conversely, by publishing an organisation’s average time to bounty, average payout and even some recent bugs (hacktivity), hackers can trust organisations, and sign up for jobs knowing that they will be paid fairly and promptly.”

Having said that, Laurie pointed out that when a hacker is invited to find vulnerabilities, there are always clear ‘rules of engagement’ which includes the program scope (what to test), program rules (how to perform testing) and the types of vulnerabilities that are allowed to be tested and not tested.

For example, most bug bounty programs prohibit social engineering and DDoS testing. By adhering to the rules and submitting valid bugs, hackers can gain reputation, earn money, and be invited to more and more programs. 

“People often ask me, what happens if a cybercriminal uses HackerOne? And in return I ask them, would a criminal who likes to break into houses to commit burglary, register their name and bank details on a website called housebreakers.com?”

Laurie insists that HackerOne does not give any advantage to a criminal as the assets they test are publicly available. On the other hand, there are massive disadvantages to a criminal having a HackerOne account.

Should governments and enterprises consider bug bounty programs?
With Singapore adopting bug bounty programs to protect their government systems, we asked Laurie if other nations in the region should follow suit. Laurie is convinced that all organisations in the world and not just those in Southeast Asia should consider using evolutionary methods like bug bounty programs to reduce their risk, scale security, enhance their reputation, and enable faster innovation.

“For governments and enterprises in the Southeast Asian region specifically, bug bounty programs allow them to engage with much more diverse, numerous and specialised skill sets. Working with the world’s largest community of hackers here at HackerOne, I am regularly astonished and amazed by the wonderful new hacker discoveries. Did you know that the first hacker to earn one million USD was a 19-year-old in Argentina! And did you know that many re-con tools are written in Egypt, for example?”

As Laurie puts it, the adoption of new technologies and digital transformation present a huge opportunity to transform lives for the better, and these new technologies need to be secure, or it would be pointless to use them. 


You might also like
Most comment
share us your thought

0 Comment Log in or register to post comments