15 January 2019

A Bug Bounty Bill was just Signed by the White House, and What it Means

Mark Kuhr

Day to day we tend to stick to routines, but that won���t help us address increasingly creative and asymmetrical cyber threats online. Independent of whether our adversaries intend to sow discord online to undermine our democracy, probe our power grids, or suspend emergency services, we need to stay one step ahead. Federal agencies reported more than 35,277 cyber incidents in 2017 to Department of Homeland Security (DHS) according to a recent GAO report published in December last year.

At the same time as the GAO report was being published, the White House took an important step to harden US cyber defenses. The president signed the SECURE Technology Act, which instructed the DHS to set up a program to crowdsource hackers from outside government to participate in a bug bounty program. The SECURE Technology Act included language from the Senate version of a bill called the Hack the DHS Act and passed with landslide support in the House (362-1) and in the Senate (100-0). Part of the legislation calls for DHS to establish a vulnerability disclosure policy (VDP), which will allow hackers to report vulnerabilities in a secure manner to DHS. Taken together, these measures will finally permit DHS to harness “patriotic and ethical” hacker talent” (in the words of Senators Hassan and Portman) and make our country more secure.

With the new law in place, the next step for the DHS will be to design a pilot for a crowdsourced, hacker-powered bug bounty program. They are going to have to decide between two different models, both of which are used by federal agencies and enterprise. The first is a more open, less structured approach (“traditional bug bounty”) while the second is a more sophisticated and controlled approach (“crowdsourced penetration testing”). In DHS’ case, their most critical and sensitive systems (such as border security, counterterrorism and energy infrastructure) should be top priority to help keep Americans safe. In this decision, the DHS will need to consider the level of vetting and technology that they will get from each model to ensure the high accountability and efficiency needed to meet their goals.

Bug bounty, while a relatively new concept, has changed significantly since its introduction in 1995. Netscape started the first bug bounty project that year, offering cash payouts to anyone who could find bugs in their product. This was revolutionary at the time, allowing anyone, not just employees with credentials, to be involved in an organization’s security. It also introduced a more effective “pay for results” style of security. Over time the bug bounty model has evolved into crowdsourced penetration testing (CPT) that can be point in time or continuous. This new model offers more stringent vetting to ensure that outside hackers are indeed trustworthy and platform technology to generate analytics on effectiveness of engagements, insert more controls into the process, and facilitate communication between hackers and organizations.

Crowdsourced security testing, in the form of Crowdsourced Penetration Testing (CPT) and Crowdsourced Vulnerability Discovery (CVD), is now deployed by hundreds of forward-leaning enterprises such as Santander and Domino’s and government agencies such as the IRS and DoD (“Hack the Pentagon”). Today there are 16 agencies, 10 civilian and 6 military, using some type of bug bounty program. Out of the federal agencies that have adopted bug bounty-type programs, 90% have opted for the CPT model proving its dominance over open bug bounty.

It’s important to vet people that work with sensitive systems — and in this case, we vet them for both skills to find vulnerabilities effectively and trust to keep those findings confidential. The SECURE Technology Act gives DHS the freedom to decide their own vetting criteria and we expect they will opt for a more stringent process. In the United States one, and as of yet relatively untapped, pool that can be depended on to meet these high standards are skilled veterans in the United States. We recently launched the Synack Veterans Cyber Program to recruit and train veterans to work on bug bounty engagements. Since the launch of the program in November 2018, we have seen a 69.2% increase in veteran applicants to our Red Team.

Even with the best Red Team, DHS should ensure auditability and scalability by using a software platform to manage the entire process. The platform would give DHS better visibility into their bug bounty program, providing them with performance metrics and analytics like researcher hours worked and attack surface covered. In addition, new innovations in bug bounty such as AI scanning technology can be deployed alongside researchers to help find vulnerabilities faster. Automated scanners can run and augment humans even after the human engagement has ended. Threats are constant and large networks change rapidly, which requires a continuous approach. The traditional human-powered testing approaches won’t be enough to monitor the constantly changing attack surface.

Based on Synack’s analysis, the government could save up to $229 million by adopting crowdsourced security testing more broadly given its higher efficiency than traditional penetration testing at finding vulnerabilities. The crowdsourced model uses gamification and competition to motivate researchers to find security issues in less time, which means more results at a lower price point. Analytics from the technology platform will help to track hours worked and number of vulnerabilities found and remediated.

Dr. Zargardi, former Acting CIO at the Department of Defense, was the original owner of the “Hack the Pentagon” project launched in 2016. Now, he is CIO of the DHS; the pilot could not be in better hands. With so much on the line, DHS should consider the importance of a sophisticated bug bounty model, strict vetting requirements, state-of-the-art AI technology and appropriate control mechanisms. Choosing the appropriate model for the selected targets will be essential for the highest ROI for the Department. This program will likely provide important outcomes and be used by the DHS and other government agencies for considering widespread adoption of crowdsourced security.