At the recent Black Hat security conference in Las Vegas, tech giant Apple announced that it would pay ethical hackers more than US$1 million if they responsibly disclose dangerous security vulnerabilities to the company. The amount is a huge increase from its previous offering of US$200,000, clearly showing how serious Apple is in finding vulnerabilities in its products and software.
In light of this, CyberSecurity Asean(CSA) spoke to Kevin Gallerin, Managing Director, APAC, YesWeHack to find out more from a hacker’s perspective on why bug bounties are becoming more lucrative. CSA previously highlighted what the bug bounty program was all about and why more organisations and even governments are taking part in this program. To understand more about bug bounty and why organisations and governments are using them, read here.
According to Kevin, to earn the bounty, hackers must first comply with each programme's scope and rules (authorisation, qualifying vulnerabilities, etc.) which are set within the organisation’s budget and security objectives. While the bounty functions as a good incentive for ethical hackers to take on more projects and gain the expertise to discover tougher vulnerabilities for even larger rewards, hackers need to be really passionate about the profession themselves.
“A great ethical hacker needs to have personal satisfaction with being able to hack a large corporation and help them discover vulnerabilities. Seeing the company grateful and thriving should be important to them.”
Unfortunately, Kevin explained that hackers who have already been involved in unethical activities are unlikely to sign up for bug bounty programmes. They would have to go through a strict vetting process during registration. As such, they will not risk being discovered and tend to avoid sharing information or working “in the open” as much as possible.
If they are discovered to have been previously involved in unethical activities, they can and will be charged for it. The most recent case is the arrest of a software engineer in Seattle, USA, who bragged about hacking credit card issuer, Capital One on social media. The hack affected approximately 100 million individuals in the US.
On the other hand, Kevin believes the bug bounty is an excellent way of nurturing ethical hackers from the start of their hacking career. The more vulnerabilities a hacker reports, the more rewards they would get. As beginners gain expertise in the field, they would eventually be invited to private programmes where the incentive would be much higher. With bug bounty programmes providing substantial income and growth opportunities, it is usually human nature to not undertake risky dealings where the repercussions are high.
Programmes should always be carried out on bug bounty platforms, alongside experts who can properly validate your project’s scope, rules and rewards grid as well as to adapt and scale programmes for optimum performance. Platforms used should be designed and continually maintained in accordance with the most stringent security standards, and access to vulnerability reports must also be highly regulated.
Malicious actors are always going to be there, regardless of whether one does or does not deploy a bug bounty programme. However, the beauty of a crowdsourced programme is if an external hacker working outside the programme finds a vulnerability and chooses to exploit it instead of reporting it, the crowd of ethical hackers participating in the programme would also have found the same vulnerability and reported it to be fixed, alerting you to the malicious attack and skilfully shutting it down.
A concern for cybersecurity providers?
With the growing number of organisations and governments considering the use of ethical hackers and bug bounty programs, Kevin points out that some cybersecurity providers should be concerned, at least in the long run.
Kevin said that in the last decade, traditional security audit models, such as penetration testing, have skyrocketed in usage. However, as the volume and impact of cyberattacks continue to increase, these traditional approaches are showing their limitations. They are struggling to meet the combination of factors seen today – that is, the growing sophistication of threats, the expansion of attack surfaces, need for speed and agility, and the demands driven by digital transformation, such as DevOps.
“More and more organisations are realising the value of crowdsourced vulnerability testing and see bug bounty as an answer to those challenges. It is likely that existing cybersecurity providers will have to reposition their value proposition in order to stay in the game.”
While the concern is there, the potential to grow and mature local hacking communities depend on several criteria, with the main ones being level of digitalisation, general security awareness and the legal frameworks in place for vulnerability disclosure.
Looking across Southeast Asia, the maturity of local hacking communities can vary dramatically from country to country, simply depending on those factors. Kevin explained that the region is slowly but surely welcoming the concept of ethical hacking.
“Over the past five years, we’ve seen it steadily gain traction, with government agencies in Indonesia, Singapore and the Philippines holding nation-wide hackathons and bug bounty programmes. Southeast Asian nations are starting to embrace crowdsourced vulnerability testing as an effective way to tackle the new age of constantly evolving threats.”
He added that ethical hackers in this region also work with superb excellence. When they find and report a vulnerability, their reports are the most actionable and comprehensive for future learnings.
Fear of failure
Kevin, however, pointed out an interesting characteristic of hacking communities in Southeast Asia. For him, it is the social culture that puts unhealthy amounts of pressure on succeeding at the first try. In Europe, hacking communities are more willing to keep trying different things and failing many times until they get to the right answer. As such, they end up finding more vulnerabilities in the process. For hacking communities in Southeast Asia, they can really flourish once they overcome the fear of failure.
Having said that, we asked Kevin what the biggest fear for ethical hackers is when taking part in bug bounty programs. And he replied, “For me, that would be submitting a critical vulnerability for a top bounty and finding out that it’s a duplicate.”
A duplicate hack would mean the ethical hacker spends all the time needed to find the vulnerability and submitting it, only to find out that someone else has also discovered the same flaw. Perhaps in the future, bug bounty programs will offer higher bounties. At the end of the day, most ethical hackers prefer working by themselves, and if the vulnerability discovered is a duplicate, it may change the perception of how ethical hackers view bounties.