Bug Bounties: What’s the pay off?

28 October 2022

Bug bounties can be a cost effective way of identifying code defects and remediating vulnerabilities in an application or website. These programs work by tasking testers, with unknown and unvalidated certifications, to identify bugs and potential exploits in exchange for financial reward and recognition.

The market's opinion is divided pertaining to the benefits of bug bounties. Permitting unknown testers to attack your environment requires a high degree of trust; risking the confidentiality and integrity of data. Bug bounties present the opportunity for unreliable testers to obfuscate their activity, create backdoors, or exfiltrate sensitive data out of the network data. Professional testers argue that the methodologies used by bug bounty hunters aren’t schematic - often lacking in business context, or awareness of internal mitigating strategies implemented to address known issues.

In contrast, Google and the US Department of Defence make use of bug bounties to gain external skills, resources, or test beyond the limitations of their own capabilities. HackerOne, a credible bug bounty operator, reported the average reward in 2020 was $3,650 USD (around $5,100 AUD); notably less than the average $1M AUD ransomware attack payouts reported in Australia [1]. It’s evident the cost of bounties demonstrate a financial advantage against ransoms, however the argument remains whether these are a viable approach to mitigating attacks and breaches.

A recent string of cyber attacks in the market has demonstrated the damage a cyber incident and threats of extortion can cause to a brand and its customers. Notably, the Optus threat actor who stole 2.1M identification numbers and extorted the telecommunications company claimed, in their final public announcement that they would have notified Optus of the vulnerability had a bounty program been in place. What may have started as an unsolicited bug bounty hunt, showed that there is no honor among thieves; blurring the line between bounty hunter and cyber villain. While raising the alert through a bug bounty program, could have been a quick win and possibly mitigated further attack, more often than not, rogue testers use these opportunities as a source of income and may only have a focus on landing a big pay day - making the line between extortion and bounty negotiation indistinguishable.

As the Optus attack was of low-level sophistication, the root cause could have been identified through routine testing activities, as part of a proactive cyber security program. A proper in-house testing regime employing various vulnerability and threat hunting techniques could have prevented one of the biggest, most widely criticised cyber attacks in recent Australian history.

As threat and vulnerability hunting becomes the cornerstone capability of all cyber operations, organisations must employ proactive approaches to defend their company and customers. Bug bounties, if implemented, need to be executed as part of established programs, employing a defined scope, and must not be the only solution to preventative protections. Bug bounties should work to provide coverage of ‘blind spots’, continuously evaluate the environment, and preserve limited company resources.

Not to discredit the utility of bug bounty programs, but relinquishing control to find your own bugs puts you in the same position as Optus. Proactive vulnerability hunting as part of a broader cyber program places you ahead of bounty hunters and cyber crime syndicates alike.

[1] 2022 McGrathNicol Ransomware study