Bug bounties were created so organizations, independent of size or location, could utilize the best security talent in the world to help them find hidden vulnerabilities that were left undetected by other solutions like automated scanners and traditional pen tests. This vulnerability intelligence has become a marketplace: companies are willing to pay big bucks for researchers’ findings. I’ve been involved with Synack for over 3 years now, and I’ve noticed some concerning and important trends happening in the marketplace dynamics of bug bounties, which Synack has been actively preventing from the beginning. Join me in diving into what I’m seeing in the space now, and my thoughts on creating standards and protections for high quality platforms that benefit researchers and clients alike.
First, let me start by saying that I appreciate having a number of companies offering various forms of commercial bug bounty programs, as it creates a bounty-based economy and helps customers to see that the old way of doing things is simply, obsolete! Any crowdsourced security company who advances the cause and contributes to increasing the security posture of businesses with digital assets is making the world a safer place, and that is a good thing. With that said, I think anyone who plays a role in the space as a platform (an entity that is larger than an individual or group of individuals responsible for finding vulnerabilities) has an implicit duty to the crowdsourced industry to pioneer better experiences for all researchers who choose to participate.
Incentivizing Creativity & Diversity is Everything
At Synack, our goal and mission is to create and implement an effective and efficient model for security researchers — to streamline and scale their strengths without being bogged down by repetitive tasks or worried about being treated fairly. One of our focus areas is to lift all our researchers above the noise and provide them with research opportunities that lead to proof-of-concepts (PoC), or exploits, that deliver more value than anything a scanner could come close to providing. For context, PoCs are demonstrations which are intended to show the realization of a concept when it is verified or deployed in the real-world. We know there is high value on the creativity and diversity of humans and the type of workflows they can deploy while doing research. I’m concerned there are other platforms with the power and capabilities to do the same, but they are withholding this benefit from their community.
Farming in the Digital Fields
Some security researchers have found a way to tend to the “digital fields”, using scanners to “sow their fields” and reaping what they sow in the form of alerts. These alerts are then transformed into a report to demonstrate their “yield” and they collect a bounty for pointing out a vulnerability that didn’t take too much skill or effort at all. The twittersphere has adopted the term “farming” (usually attributed to Justin Kennedy) to explain this concept. The biggest issue with “farming” (which we refer to as low-hanging fruit) is the noise it creates. Sometimes, the noise impacts the researcher and sometimes the noise impacts the client.
I consider “noise” as small distractions that take away from the actual purpose of bug bounty: going deep into critical assets to find critical vulnerabilities. It’s great that security researchers are getting paid, but when they earn lucrative money for issues that customers don’t recognize as critical, the marketplace has the potential to deteriorate. Why? Because once a client becomes inundated with issues that don’t provide a high ROI and they’re pulled away from focusing on critical risk, the bug bounty is failing to provide what it promised. Another reason for the deterioration of the marketplace? Researchers aren’t achieving their full potential and capability.This is often researchers’ number one motivation for hacking on these platforms. Both parties suffer in the long run. Clients can’t justify the spend for a program that isn’t delivering value. Researchers can’t justify their time spent on these programs if they are primarily incentivized to scale the report writing of low-level and non-interesting vulnerabilities simply to make testing worth their while.
What Makes a Marketplace? A Platform?
Platforms need to focus on creating the right principles for their community. These principles should be geared towards identifying, defining and executing on relevant demands from their clients. If farming-type vulns are accepted on a platform, it is ultimately incentivizing security researchers to report what clients already have enough of, and that is scanner results. Though farming allows security researchers to get paid, it is short-term, and it won’t last for long if it continues. This is because the economic activity will become inefficient and the supply of low-rewards will outweigh what the client actually demands — which is to increase their security posture.
Security researchers in programs outside of Synack are seeing this happen today. They are spending 48+ hours to go deep into a customer’s asset to find a high-risk finding and are experiencing the budget is exhausted by the time they execute their PoC and submit their finding. The reason the budget becomes exhausted is because the program pays out for a series of quickly found, low-risk vulns which are site-wide throughout the asset. This leaves no opportunity to get a reward for findings that have a more creative narrative and a higher business impact. This is why it is every platforms’ duty to identify what the client demands are and to decipher how to best translate the strengths of creativity and diversity of true security research to preserve a market and increase its value over time. Sadly, this isn’t happening across the board of all other programs today, putting the value of bounty programs outside of Synack at risk.
At Synack, we put low-risk vulnerabilities out of scope (i.e Info Disclosures (which include non-sensitive info), Weak Login Functions or Known issues). Do we think they can eventually be chained and exploited to become a bigger problem for the client? Nope, we don’t think that; we KNOW that! However, we will be damned if we undermine the demands of our clients that call for critical vulnerabilities, and in turn, take advantage of the talent in our community for the sake of demonstrating low-level work. We live in an enterprise world where a good security posture isn’t synonymous with having no vulnerabilities. In fact, having vulnerabilities in a queue is congruent with continuing the efforts to improve a security posture. When it comes to resources and operations of an infosec team, it’s all about prioritization and receiving the biggest bang for your buck. At Synack, we leave the “farming” up to our Hydra system as well as clients who build out their own suite of scanners. Each method filters the results to Synack internally and we decide if the low-risk vulns we’ve farmed are worth entering the marketplace and providing a high value ROI for both the security researchers and the client.
Taking Ownership of the Platform
Overall, bounty platforms need to take more ownership over the marketplaces they are creating. Any time a program passes through a security finding that is deemed “farming”, it robs everyone of value within the community who is capable of doing more. Budgets are a necessary evil of business, but it is up to the operations of a business to ensure you’re capturing the talent within the platform. Synack has procedures in place to put “farming” where it belongs, and we will continue to do better as the landscape of security evolves. Not to mention, we have a thing called Missions which takes care of that whole compliance thing, which is where farming is most relevant. The value of our Vulnerability Operations Team rings true as we keep our focus on the research, and we don’t ask our valuable community to help govern or manage a platform by instituting principles which is our duty to uphold.
Synack provides initiatives to help foster the researcher community and engage top talent; technology to optimize researcher efficiency and accelerate vulnerability discovery, opportunities to work on unique targets, personalized support, and skills development. We do this through the Synack platform and our SRT Levels program which includes fun competitions, gamification, mentorship, and specialized projects.
Apply to join the Synack Red Team and become one of the chosen few. We provide the best support for our researchers, and put the highest quality, most relevant features into our platform – it was designed by hackers for hackers.
If you’re up for the challenge, apply today, and use code “SRTBLOGS” in your application.