Moussouris has a long history in computer security, working at Microsoft and the Department of Defense creating their first bug bounty programs to incentivize catching and reporting security bugs and vulnerabilities in software systems.
Nilay and Katie discuss the history of bug bounty programs, from the early iterations to the current state of affairs, from good to bad. Though Moussouris says the concept of hiring hackers to help make organizations more secure has numerous positives, the commercialization of the practice has created blindspots and other unintended incentives.
Below is a lightly edited excerpt from that conversation.
Nilay Patel: Where are the failings of a bug bounty system?
Katie Moussouris: Well, right now, honestly, the failings, I’ve got to say, is in the commercial implementation of bug bounties. So my company basically goes in and assesses organizational maturity, like, “Are you ready for this? Can you handle the truth?”
And a lot of the questions we ask, organizations are like, “Yeah, but we want to do this industry best practice thing called a bug bounty. And we know that you make all these big bug bounties. You so just make us a bug bounty.”
And I’m like, “But you haven’t actually been able to keep up with patching the systems that you know are out of date. How can you actually deal with this additional volume?” And they say, “Oh, but we’ll just hire a bug bounty service provider, and they’ll take care of everything for us.” And I’m like, “Wait a minute. What part about your internal patch processing did you not understand from the rest of the questions?” Because they’re sitting there going, “We’ve been told we can outsource this.”
I see it as failures of both sides of the marketplace. I used to work for a bug bounty company. I believed in this model as, “Hey, why don’t we make it easier to connect companies with hackers and make it safer for everybody? And eventually, the companies and the governments will become more secure, and eventually, the hackers will also not only stay out of jail and make a living, but they’ll scale up.” Because ideally, what you want to see in the whole world is no low-hanging fruit anymore. You want to see people actually addressing those bugs themselves — preventing them, ideally. But even if they accidentally coded up some low-hanging fruit bugs, to be able to detect them themselves. Not rely on third-party randos on the internet to come tell you about this low-hanging fruit.
So where I’ve seen this failing is that commercial bug bounty platforms, basically their business model is you stay bad at security so that there’s a lot of low-hanging fruit to be found and the relatively low-skilled labor that hangs out on the bug bounty platforms — with very few exceptions, there are highly skilled folks on these bug many platforms. But I think I read the latest report from one of the leading bug bounty platforms, out of 600,000 registered users, 146 of them have never made more than $100,000 in their entire lifetime on the platform. You know, a professional penetration tester, even 15 years ago when I did this, already, the starting salary was over $100,000.
So we’re not seeing actually a good evolution of the state of security as a result of these programs. We’re also not seeing a good evolution of the state of cybersecurity workforce. We see a huge bottom of the pyramid, which is kind of the folks who are able to run free or nearly free scanning tools and kind of give you the low-hanging fruit reports. And they’re making up the majority of bug bounty hunters. And this tiny little top-of-the-pyramid of highly skilled workers — that is, literally less than 200 people — are at the very, very top. And that’s despite these companies being in existence for the last eight years.
It’s so funny that you are describing an economic model for cybersecurity for hacking that looks an awful lot like a user-generated content platform economic model. You could have just described YouTube or Instagram or any of these other platforms that promise lots of people access but only rewards a tiny fraction of the folks. Is that an accurate analogy?
Absolutely. I mean, the rules of bug bounty are only the first one to report a unique bug gets paid for it. So think of all the low-hanging fruit. You could be spraying and praying your scanning tools, but to even make money on something that was very easy to find, you just have to be the first one in. So there’s a whole lot of unpaid labor that goes into these platforms.
And then let’s say even if you’re operating at sort of higher technical levels and finding more esoteric bugs, we hear complaints left and right of companies saying, “Oh, we knew about that bug already, so we’re not going to pay you. It’s already in process of getting fixed.” So there’s a whole bunch of stuff where people are not getting what they signed up for. I look at it as yet another failed implementation of the gig economy marketplace right now.
We all had a lot of high hopes that the gig economy would help a lot of people. And it’s not been turning out great for certainly the labor side of things. But in the case of bug bounty, it’s not turning out great for the buying side, the hiring side, either. They’re not able to access huge new labor workforce. That tiny number of people who are fairly highly skilled and making good money on these platforms, they maybe don’t want to give up their lifestyle. A few of them have decided to work in-house at companies, but they’re kind of preserving their bug bounty moonlighting abilities on the side and everything. So we’re just not seeing the whole gig economy as expressed in bug bounty platforms working out for either side of the equation.
So to keep this analogy going maybe past its breaking point, when we were critical of a YouTube or Instagram, a thing that is real there is that’s working out great for YouTube and Instagram. They have no incentives to fix it because they’re reaping all the rewards. I would imagine at least there’s more actual money flowing through the bug bounty ecosystem and there is the very real threat of “Hey, there’s vulnerabilities in our software.” So it does seem like there’s some incentive to change it, to change that model. What changes have you seen coming, or does that incentive just not exist?
Well, after leaving one of the bug bounty companies, I stayed on as an adviser for pretty close to a year and worked with them on various mutual customers. I’ve had customer overlaps with a lot of the bug bounty companies, if not all of the major US ones. And the thing I keep seeing in their business model is that I would like to help organizations get more mature. So fewer low-hanging fruit bugs, more esoteric bugs. But all of their business models depend on there being chum in the water all the time of low-hanging fruit.
So they don’t want the process delays of [when] my company usually goes in and says, “Are you ready for this? Have you invested internally on finding the bugs yourself? Did you know it’s up to 45 times cheaper if you actually identify security bugs in the design phase?” And that basically ends up delaying the adoption of bug bounty, which isn’t appropriate for everyone and certainly not appropriate if you can’t even patch the bugs you already know about.
So I think the inherent conflict that’s come up with the different business models — bug bounty versus the advisory services that my company provides — is bug bounties can help with a tiny fraction of what you already need to do for vulnerability management, but it’s being positioned as the easy button for it. We’re seeing a lot of companies come to grips with the fact that they’re having breaches still even if they have a bug bounty or they can’t bounty everything.
There’s one airline who has had a bug bounty for a little over four years. That’s United Airlines. Is it on the planes? No, it’s on the websites. It’s against the website. So how are we safer in the skies? Well, we’re not. But the appearance of looking like you’re doing diligence when it comes to vulnerability management, I think that’s where commercial bug bounty enablement platforms have been pushing, like, “Look, you know, just look really busy.” Yeah, you’re playing whack-a-bug and everything and this is super inefficient, but you can say that you take security very seriously and you’re fixing all these low-hanging fruit bugs and whatnot. We won’t call them that. We’ll just say that, you know, there are all these bugs and that it’s super valuable. And then when you get breached. Maybe you won’t get in trouble because you can say, “Well, we tried. We had a bug bounty and just nobody reported that particular issue to us.”
So I don’t know. I mean, I would love to say that this is all evolving in the right direction, but frankly, I’ve seen it devolving, especially in the last couple of years of the commercialization of bug bounties.