BugBounties changed InfoSec world for better

Graphic from tripwire.com

Just four years ago, before that Bug Bounty madness started off for real, many companies had pathetic security posture. Okay, let’s be real here, most organizations, because many isn’t emphasizing enough. In just 4 years the raise of security awareness and general improvements of organisations security posture are really prominent.

I’ll show you proofs one day, I’m just lazy and can’t push myself to migrate bug reports in high profile companies from mail archive to the blogposts. But I promise to do it, so everyone can get a sense of how webapps world looked like just 3–4 years ago and how vulnerable everything was to anyone willing to spend a fifteen minutes looking for bugs.

Of course Bug Bounties made a lot of noise along the way and many companies wasted a lot of money on not well coordinated programs, but the whole world has benefited from the sacrifice of those who had taken the risk.
Google, Facebook, Yahoo, Mozilla and Microsoft are the brands which decided to throw away millions of dollars and should be mentioned here as a game changers.

Bug Bounties impacted an infosec recruitment arena and made it easier for infosec enthusiasts to show their skills and get hired in infosec roles. For skilled guys, it’s definitely a good thing and I see there is more and more companies giving bonus points in recruitment process for participation in BugBounty programs.
For those “your ~all SPF is broken, gimme bounty” crying type of guys, nothing changes.
On the flip side, it’s not that great for organisations, because they’re being spammed by those security ninjas with low quality “bug” reports and occasionally blackmailed by the same nobs when rejected. Buddy, just because you found one tiny bug in a webapp, doesn’t mean you’re immediately a quality infosec employee. Also, just because webapp is telling the user that provided email already exists, doesn’t “put entire business at risk” because you can enumerate users by their emails. It’s email provider service, what do you want me to do? o.O

The good news for recruiters whining about infosec pros shortage is that we’re getting more attention, and the bad news is that the quality of the crowd isn’t great, but it’s still something.
Lots of people are being pulled into security field because they had gotten excited by news that someone just earned $10k bounty for trivial bug in FB, and they want to make the big money themselves.

Unfortunately because of the flood of people, there are scammers who make it through interviews because of their high self-esteem which comes from thinking about themselves as a hackers who found a little bug and got posted on Hall of Fame of some startup no one ever heard of.
Yes, lack of humility is a real thing, so dear recruiters — watch out for these guys, because some of them are really experts in faking their expertise.

Many organizations realized they won’t get far without internal security team, because they’ll simply get booed on public forums if an incident happens and that’s something marketing departments aren’t fans of.
Whether it’s for public relations reasons, actual technical security awareness, noble goal to save the world, I don’t care as long as it makes users safer. Market is expecting higher quality products — which is a good thing — and vendors need to deal with it. Of course I’d love to see organizations to have real intent in securing customers data, but we’re not quite there, yet.

There are companies out there that because of the narrative glorifying Bug Bounties, really do believe they’re ultimately safe when they run their own program. This is a very dangerous belief, and I hope you’re not one of these companies.

Some businesses know that Bug Bounty programs don’t provide ultimate safety, but because they know customers believe in this, they take advantage of it.
For marketing folks in such organisations, Bug Bounties are just another toy to play with in the sales show-off. Don’t buy this cheap talk if your vendor is saying that they don’t have security team because they’re covered by Bug Bounty. They’re not, they just use it as a way to avoid expenses on real InfoSec efforts. Even if they’re regularly hiring pentesters to support Bounty programs, there still is a gazillion of things that need to be taken care of, like monitoring and crap detection.
Simplifying it a lot — I wouldn’t buy a serious product if there is no internal security team behind it. Not talking about size, one person makes a difference. Not talking about cat gallery app, talking business here. Active Bug Bounty program and cold security assessments don’t mean your data is safe because e.g. some functionality may have a design flaw which makes users to use it in a wrong way, which makes a security hole and put users at risk.
In other words — UX that sucks can be a threat which bug hunters may not care about.

Am I excited about how Bug Bounties improved security posture of many companies? — Totally.
Does it mean every company should do Bug Bounty and treat it as the best spending ever? — No, and I explained it in my previous article. If you became more security aware person thanks to Bug Bounties, that’s great, but it doesn’t mean you should immediately join the league. You know you need to level up your security so go and invest wisely.

There are still breaches and there will be, that’s a sure thing. But I can’t agree with some complainers that it’s not getting better. Not only webapps-wise have we leveled up the game and quality of products. Bug Bounty programs created for web apps led to discovery of many weaknesses in other places like problems with weak credentials, abandoned DNS records etc.
I’m not even mentioning side initiatives like “Internet Bug Bounty” which encourages security researchers to look for bugs in most commonly used software upon which the Internet is built. This is gold and it really makes a difference. The change is real.
One more fun side effect Bug Bounties do have. They uncovered how actually insecure products were, even from vendors hiring tens or hundreds security engineers. No space in this article to comment on this, but when I hear from a fresh startup that their products have rock solid security.. ehh, who are you trying to trick… It’s 2016, pretty transparent world. These lies/jokes about being 100% hackerproof don’t work anymore.

Even with such great initiatives there are downsides like market flooded by hackers-wannabe and the thing with false sense of security. But compared to beneficial outcome of Bug Bounties it’s nothing. Net profit is still high enough to put Bug Bounty in a positive light.

There are initiatives once in a while that tweak the industry. Those few guys(Dino Dai Zovi, Charlie Miller and Alex Sotirov)* who started the movement ‘no more free bugs’ sparked a huge change which we’re seeing nowadays. A bunch of people tired of status quo spoke out loud and made the change happen.
I want to say — Thank you, all dear troublemakers out there who are pushing our industry forward. Applause also to guys like Tavis Ormandy who scare the shit out of software vendors and make the them pay real attention to security for PR reasons.

*Yes, and a glory for Jarrett Ridlinghafer and his Bug Bounty initiative at Netscape. Sorry for not getting into details of this, but I wanted to focus on the security bug bounties and infosec world of last few years.

If you enjoyed reading this post, there are two more on similar subjects:
Pentests vs BugBounty for startups and SMBs and How to truly benefit from penetration tests and bug bounties

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.