The pandemic has overhauled the bug-bounty landscape, both for companies looking to adopt such programs and the bounty hunters themselves. Casey Ellis, founder and CTO of Bugcrowd, said that COVID-19’s far-reaching implications — including increasing the acceptance of remote work, pushing more users to digital platforms and other aspects — are creating unanticipated new trends for bug-bounty platforms.
For one, new work-from-home models caused by the pandemic has created more pressure on digital platforms — including collaboration tools like Zoom — to secure their platforms, creating a bigger motivation for these firms to launch or enhance bug-bounty programs. At the same time, the mandatory push to remote work has opened a new level of acceptance for companies working with bounty hunters who are not physically present within the organization.
“We’ve seen [hesitation around remote work] really get challenged in a positive way by COVID, which is netted out to more people being comfortable with the idea of getting expert security help in from the outside world,” Ellis said.
On a broader scale, Ellis said that he’s seen ethical hackers begin to put in more serious time searching for bugs: “People just had more discretionary time” during the pandemic, he said. “Because they weren’t going out, or commuting to and from work, and especially if you’re a younger person, or if you don’t have as many commitments at home, that nets out to more time to do stuff, which we saw get applied into bounty hunting.”
Below find a lightly edited transcript of this interview.
Lindsey O’Donnell-Welch: Welcome to Threatpost Now, Threatpost’s video segment where we talk to the leading infosec industry experts about top trends, risks and research that is happening right now in the security space. I’m Lindsey O’Donnell Welch with Threatpost. And today we’re talking bug bounty programs with Casey Ellis, the founder and CTO of Bugcrowd. Casey, thanks so much for joining us today.
Casey Ellis: Thank you for having me.
LO: Great. And to all of our listeners: As a quick intro, Casey is a 20 year veteran of information security, he has pioneered the crowdsourced security as a service model, launching the first bug bounty programs on the Bugcrowd platform in 2012. And he co-founded the disclose.io vulnerability disclosure standardization project in 2016, which is a collaborative project to standardize best practices around Safe Harbor, and good faith security research. So Casey, you have years of experience under your belt around bug bounty and vulnerability disclosure and safe harbor. And so just to set the context here, can you tell us a little bit about the current state of bug bounty programs and kind of their adaptation by companies in 2020?
CE: Yes, certainly. It’s, you know, to 2020, it’s been a pretty remarkable year, in all sorts of ways. I think one of the, one of the side effects of the pandemic and of working from home is it’s really highlighted, you know, how, like, pivotal technology is to life just in general, going from, you know, the average consumer right up into the the very tops of the largest companies, that’s, that’s become far more obvious. It was always, you know, a thing, but I think it’s been kind of thrust into our face this year. So, you know, really, what we’ve seen happen as a byproduct of that is on the customer side, we’ve seen organizations really accelerate their security programs, as they’ve gone to undertake things like digital transformation. So companies that relied on a physical presence, business model, and had this kind of three-year plan to take better advantage of the internet – all of a sudden that that projects now on a six month lead time, and you need security for that. So there’s, there’s been a lot coming out of that. I think, on the vulnerability disclosure slide, for organizations, there’s a growing understanding of the of the need to actually create confidence for the user. So this idea of like, neighborhood watch for the internet, that’s something that the layperson can understand. And I think, you know, a lot of like corporates, but now governments and even election systems are taking advantage of that. On the [bug] hunter side, it’s netted out to a ton more activity, you know, we’ve seen spikes in in kind of participation in programs; we’ve seen, like a lot of net new hunters come into the place. Obviously, there’s a ton of content being generated now. Because everyone’s doing that. So folks are learning, They’re digging into different domains and so on. So, yeah, in general, everything’s just gotten busier.
LO: Right. Right. It certainly seems that way. And, I think, you’ve seen kind of how bounty programs specifically have shifted over the past decade or so, are you finding that companies are becoming more open to launching bug bounty programs?
CE: Yeah, definitely. And it’s interesting one, because at this point in time, when we first started “bug bounty” as a term of art was was kind of the thing that, you know, Google and Facebook, were making noise about in 2011, 2012. And we had to do a lot of education to to the market around this idea that like a hacker can actually be helpful, not necessarily harmful, which is the assumption that most people start off with. And then, we kind of crossed, we kind of got over the hump, this idea of like, oh, wow, okay, watching people like the Pentagon start programs like some of the the more conservative organizations that don’t look as much like Facebook and Google starting to engage with the community. Bug bounty became a thing that everyone kind of realized was gonna be here to stay in the IT space. Where we’re at now is that I think there’s a fair bit of confusion around the idea of like, what is a bug bounty versus a vulnerability disclosure program, versus crowdsource testing. When you say bug bounty, I think people tend to generate a specific idea of going out to the open Internet, saying “Come at me, and I’ll pay you,” which is one variation and really from Bugcrowd’s standpoint was always intended to be only the tip of the iceberg for this broader idea of like, how do we connect all of the skills and talent that exists in the white hat community to this problem of cybersecurity that requires creativity and is increasingly in need of that as technology evolves. So yeah, I mean, the thing that we’ve seen is really organizations actually changing. There’s a lot of people that are doing the work from home thing for the first time, especially folks that are generationally older, from a management standpoint, they’re not as used to Zoom in the way the digital natives are. And they’ve kind of been forced into getting comfortable with that type of thing over the past nine months. And what we’re seeing that do is translate across into how they approach accessing talent. There was this reservation in all sorts of areas around engaging people that you couldn’t, you know, physically lay eyes on or have sit in the same office as you. We’ve seen that really get challenged in a positive way by COVID, which is netted out to more people being comfortable with the idea of getting expert security help in from the outside world. So that’s a big one. And then VDPs, as I mentioned before, like the whole idea of of organizations actually being proactive about creating a policy, understanding that technology is never perfect, because humans are the ones who make it. So how are you going to receive feedback on on, you know, risks that you might not be aware of?
LO: Right, right. And to your point about the the current ongoing pandemic, I know that that has had several impacts across the board, but specifically as it relates to bug bounty, like, I know that like Zoom, having kind of that influx in its user base, was looking to what their own bug bounty program and how they could improve that to kind of keep up with the the vulnerabilities that were being processed there. But are you seeing COVID impact kind of the bug bounty landscape in other ways, whether it’s more bounty hunters who may be starting to focus on bounty hunting full time or otherwise? Just not sure what you’re seeing there?
CE: Yeah, no, definitely. On the hunter side, there’s, I think, a combination of things, you know, people have – we saw this really early on – people just had more discretionary time. Because they weren’t going out or necessarily commuting to and from work. And, and especially if you’re, if you’re younger person, or if you don’t have as many commitments at home, that nets out to more time to do stuff, which we saw get applied into bounty hunting, that’s continued. But there was, I think, a sudden kind of spurt of that, “Oh, we’ve got all this free time, let’s go hack stuff,” which is kind of neat. As it’s sort of continued on, the conversations I’m having with hunters is that they’re viewing it very much more as being able to take control of their destiny, in a sense from an employment and earning standpoint. It’s like, okay, I can be dependent on an organization, I can kind of have traditional salary, career path, things that I have to figure out, or I can take advantage of some of these opportunities that are available to me to actually be the master of that myself. So it’s almost like this idea I’ve got, I’ve got a saying that I throw around that, every bug is a startup, and every bounty hunter is an entrepreneur. And I’ve actually thought that way for quite a long time, because there is like, really strong elements to that, that aren’t all that obvious. But we actually have seen people realize that and engage it directly more this year, which I think is pretty cool.
LO: I really like that saying, I think it really drives home a lot of, you know, the motivation behind bug bounty hunting for a lot of the bounty hunters. So, good point. And you made a point earlier about bug bounty and different terms and, vulnerability disclosure, VDPs and pen testing. I feel like those terms are thrown around fairly frequently. And I agree with you that sometimes they’re intermixed, and the definitions are kind of muddied there, and not just with the more broader infosec space but even with companies who are marketing some of these types of programs. So can you talk a little bit just to clarify the distinctions between these and why it’s important to kind of make note of in terms of how these programs should be marketed.
CE: Yeah. And fully acknowledging that, Bugcrowd is in part responsible for this. I think bug bounty is a really easy-to-understand way to begin a conversation about this. That’s something that we’ve taken advantage of ever since, I mean, it’s there in the name, it’s one of the reasons why I chose to call the company Bugcrowd, is because that’s what people were thinking about at that point in time. But at this point, starting to disambiguate is becoming more important. I think vulnerability disclosure is really, to me, the superset concept. So it’s this idea that basically anyone who has contact with your systems and software has the potential to identify a security issue. Sometimes they might go looking for those issues proactively, other times, it might just happen – the “face smash” issue that Apple fixed was found by a kid playing Twitch with his friends, so he wasn’t hacking or bug hunting, he just observed security behavior that he then reported to the company so they could fix it. So it’s really the policy that sits around how you as an organization are going to respond to that, if you’re actually authorizing people to go looking for vulnerabilities, what kind of safe harbor you extend to them to make sure that they can do that in a way that has them feeling safe, and not like they’re breaking the law, but also that helps them define what it would look like to not break the law, as they go about that type of thing.
And then the ability, obviously, to receive those issues, I believe VDP is pretty quickly becoming just a normal part of being on the internet. If you see something, say something, I think that’s actually more driven by consumer behavior than it is by companies necessarily aggressively leaning into it. But, that’s the master concept. Downstream of that you got bug bounty programs, where you actually reward people for what they find, if they’re the first to find a unique issue, they get paid for it, and that payment’s in proportion to how impactful that vulnerability is. So if it’s really severe, they get paid a bunch of money, if it’s small, they get paid, they get paid less. And it started off really as this way to say thank you, for people that were working in a manner similar to a VDP. But really what it’s turned into is a way to encourage and actually attract input from the outside world. But the big thing, again, with bounty is that it’s meant to ideally be an open thing. So you’re not actually necessarily being exclusive about the people that you invite, or the scope of your systems that are even being targeted, necessarily, it’s this idea of “Yep, cool, hacker community, come and come and help us with security, and we’ll pay for it.”
I think in those two cases, really, the distinguishing features is that the researcher or the hunter is the one who starts the conversation. So this program is established, and then on an individual like vulnerability basis, the conversation starts from the outside world, into the organization, and it’s on the organization to be prepared for that. Then there’s crowdsourced security. So that’s what you know, what Bugcrowd does with our CPT, continuous pentest products, with our next generation pentest product, with our attack surface management product, that’s now starting to basically carve out pockets of the community that contributes with bug bounty and VDP, understanding what kind of skills they have. But then also, like, are they professional? Can you trust them? Is this someone who is highly skilled, or someone who’s just getting started – all those sorts of things, and basically, deploying that group to solve specific problems, but on a private basis. So that’s when it starts to look a little bit more pentesting or consulting even. But really, what you’re doing is you’re tapping the talent that exists in this enormous, wonderful community of hackers that will go around the world.
LO: Mm hmm. And of those three, just out of curiosity, and for some background, what would you say that most companies are utilizing?
CE: Yeah, I think across the board, it’s actually it was the third one, because everyone has the fairly clearly identified challenge about not being able to get access to talent. Like that’s a known issue in cybersecurity. It’s been a known issue for a really long time, and it’s obvious. So when organizations realize that, “hey, there’s this enormous group of people sitting at the table waiting to help” and Bugcrowd’s created this way to access them based on what you need, and for that access to be managed and all those sorts of things, that tends to click with with any sort of organization quite quickly. Regardless of whether they’re a tech company or the Air Force, for example, or you know, financial services, that’s where we’ve seen, I think most of the growth by a percentage. And yeah bug bounty and VDP are continuing to grow, like VDP is growing as a function of corporate social responsibility. Like I was saying before, organizations are just starting to realize that, yeah, I should probably do this, if I can get security feedback I need to have a way to do that. And people need to feel safe, as they submit it. For bug bounty proper, like your Facebook or your Google-style bug bounty program. That’s a very noisy proportion of what we do. But I would say it’s actually like less represented than the other two, in terms of what we’re seeing from a growth standpoint. It’s really fun to talk about. So it sounds like the only thing that people doing.
LO: Yeah, it is fun to talk about. Speaking of talking about that. So I know in terms of bug bounty programs, you know, a lot of larger companies like like Facebook, they have already have like fully mature bug bounty programs. But then there are others who are just looking to start their own program. And what are some of the common challenges that you’re seeing for these companies that want to take the first steps and start a bug bounty program? And where would you recommend that companies begin?
CE: Yeah, for sure. I’m a massive advocate of crawl-walk-run. Especially in context of a public bug bounty program. We’ve had, and I still have frequently, conversations with people where they say, “Oh, yeah, we want to launch this public thing with these huge payouts, like next Thursday, in line with a product thing that we want to get in the press” and, whatever the drivers, the reasons might be for that. To which my answer is usually “you probably don’t want to do that.” If an organization hasn’t had the opportunity to understand from the crowd what their true risk posture is, in all likelihood, they’re going to find out pretty quickly that they’ve got more problems than they thought they did. That’s a pretty predictable phenomenon. When we start a new program, public or private. Within Bugcrowd, we call that the “Oh, crap” moment. You turn it on, and. say “whoa, we thought we’re okay there. But here’s a bunch of stuff that we now need to go on how to look at.” You don’t want to do that with with a public commitment to the open Internet to pay people for what they find at first pass, because it’s just, like winding back from that position is difficult. So to actually work up into that kind of position, I think, is the better approach. And yeah, I see challenges with folk kind of go off half cocked and, and make a big noise, but then have to figure out how to [inaudible]. I think as well, you touched on it, and this is a conversation that, I get into a lot with like Katie Moussouris, and many folks that worked on the ISO standards, the 30 triple one side of that, just on how you actually fix this stuff, you know, what’s your approach, most of what the public see and what we talked about, and what Bugcrowd’s kind of known for, if you look at how we do what we do is the intake side of it, because that’s the part that’s obvious. But then, you know, once you’ve received an issue, then what? Like how to how does that get factored into, into engineering capacity for fix if it’s needed? How do you mitigate? How do you prioritize it with all the other things that you’re trying to get done as a business? The thing about, particularly bug bounty, in a public context is you’re never quite sure when something’s going to get found next, because that’s sort of the point if you did, you would need to do this in the first place. So as an organization, how are you going to have, you know, orderly processes on the back end to be able to receive this information and actually reduce the risk and then ideally, learn from it so that you can avoid making similar mistakes in the future. Like that, to me, is the thing that is an intuitive, like companies that are really thoughtful about this, get that and they’ll already be working on it. But it’s very easy to go in and just say, oh, cool, I’m just going to invite a bunch of hackers and then we’ll fix what they find. If you haven’t thought through, like what that’s gonna look like on an ongoing basis within an organization, that’s something that we see people you know, really need to get help with. And that’s a lot of what we do as a company, like the platform’s obviously, integrating and helping coordinate, get the vulnerabilities in the right hands and all that sort of thing. But as a business, we’ve got a lot of people in the team that actually sit down and partner with the organization to help them, you know, understand what parts they need to do next and where there might be gaps.
LO: Right, right. I feel like a lot of companies kind of don’t think through, how can they keep up with the quantity of bugs that are reported and making sure that proper triage teams are set up? And there’s all kinds of challenges that they don’t really think to flush out there.
CE: Yeah. And the remediation side as well, like, how do you, I think the thing that I like most about this model overall, is that it teaches companies that, vulnerabilities are a product of human creativity, it’s not, it’s not like this, like hit in the sand, you know, catastrophic failure, it can become that if you repeat the same thing over and over again. But to begin with, it’s because people make mistakes, like you write a letter, you make some spelling mistakes, sometimes those actually changed the meaning of the letter, which to me is an analogue for a vulnerability in software. And as organizations realize, “Oh, this is a part of how we do stuff, like how are we going to compensate for that feature of human creativity, like mitigate the risks that might already exist? But then figure out how to actually get better? How do we improve as an organization with this sense of almost confidence in the transparency of just thinking like that to begin with?” It’s to me the companies that are over that hump end up being the ones that are most secure, because it just becomes a part of how they do everything else. It’s not like this other thing you wrap on top, it’s just a part of how you build your business. So right, yeah, that can take some time, because different different organizations are at different stages of realizing that.
LO: That’s a really good point. And before we wrap up, I also wanted to make sure I ask you, you know, what are some of the top bug bounty trends that we should be looking out for in 2020, and going into next year that you’re seeing?
CE: Yeah, I think the accelerated adoption of vulnerability disclosure, as kind of a norm I was about to say best practice, but actually think of it just as a normal part of being on the internet, as I said before, with the inclusion of best practices, like adding, you know, authorization clauses to create safe harbor. Adding things like coordinated vulnerability disclosure timelines that have practically set, so at that point, as an organization, you’re actually creating a public statement of accountability for the fix, not just how you’re going to treat someone who’s reporting to you. So I think that’s something that is going to continue to accelerate. And what we saw this year was the voting machine manufacturers started doing that, we’ve seen states start doing that with with respect to election systems. In particular, we’ve seen the Department of Homeland Security issue a binding operational directive for every federal agency in the U.S. to do that. So those are, those are points where that behavior will, I think, trickle into into the corporate space and globally as well. I think as well, just seeing, I mean, the big piece that I see happening from a technology risk standpoint is convergence. And, that was already happening, but then COVID kind of distributed that convergence, now that we’re all working from different places, so really the attack surface and the way different, buckets of technology are mixing together, watching the hunters adapt to that from from a skill standpoint, but then also in terms of how they team up with each other. So I think traditionally, it’s like, okay, appsec, or network security, or IoT embedded, there’s these type domains, what’s becoming more and more true over time is that they’re all pretty much interlinked now from from a security standpoint, so seeing hunters become aware of that and start to take advantage of vulnerabilities that exist in the relationship between those domains, and actually use that to highlight that to the owner so they can fix it and think about it from a design standpoint. I think COVID is going to give that a bump, again, as I said, because we’re so like technology is so close to our face now as it relates to just life, let alone work. Life just doing life itself, I think, I mean, this is a great example of that.
LO: Yeah, exactly. Yeah. I feel like I’m always glued to my – I mean, not just my phone anymore – but now my laptop and you know, everything else. But yeah, those are really good trends to look out for and seems like they’re also optimistic which is, which is a good thing too about certain parts of the bug bounty landscape.
CE: There’s no shortage of bad news.
LO: It’s always good to end on a good note.
LO: And Casey, thank you again for coming on today.
CE: Thank you for having me.
LO: Great. And, once again, this is Lindsey O’Donnell Welch with Threatpost. If you liked what you heard today, please subscribe to the Threatpost YouTube channel. And if you have any comments or questions or your own thoughts or observations on the bug bounty landscape, please do leave a comment for us on our YouTube page. Thanks again for tuning in to threat posts now and catch us next week.