Can hiring bug bounty hunters help eliminate cyber vulnerabilities?
Winning at cybersecurity requires thinking like a hacker. Here’s how hiring white hat or ethical hackers can fortify your organisation’s cyber defence
As companies continue to embark on their digital transformation journeys and migrate to the cloud, cyberattacks have become more rampant and sophisticated — especially since the start of the pandemic. According to cyber threat intelligence Check Point Research, there were 925 cyberattacks per week per organisation globally at the end of 2021, with Asia Pacific averaging 1,353 weekly attacks per organisation.
Cybercrimes will also cause companies a lot more damage in the near future. Research firm Cybersecurity Ventures expects cybercrime costs to grow 15% per year for the next five years, reaching US$10.5 trillion ($14.3 trillion) annually by 2025 from US$3 trillion ($4.09 trillion) in 2015.
To identify and fix their vulnerabilities, more companies are now running bug bounty programmes or programmes that compensate hackers for successfully identifying security exploits. Michael Lew, Singapore Fintech Association’s cyber risk sub-committee and CEO at Rajah & Tann Technologies, says bug bounty has risen in popularity over the recent years as companies have started realising the benefits of having ethical hackers review their systems and networks.
“Unlike black hat hackers who break into networks with malicious intentions, ethical hackers or white hat hackers are security experts who perform security assessments and inform companies of vulnerabilities, so that the issues can be fixed. In that sense, bug bounty exists to permit this group of white hat hackers to find vulnerabilities and get rewarded for it,” says Lew.
The rise in prominence of bug bounty has also led to the birth of companies like HackerOne, which acts as an intermediary between ethical hackers and companies seeking cybersecurity assessments. In 2021, 66,000 valid vulnerabilities were reported by hackers on HackerOne, over 20% more than the figure recorded in 2020.
The bounties that the hackers stand to get can be very attractive. In fact, decentralised autonomous organisation MakerDAO launched the biggest ever bug bounty this year, offering a US$10 million reward per critical vulnerability. Meanwhile, Google and Zoom paid US$8.7 million and US$1.8 million respectively for bug bounties rewards last year alone. Zoom’s figure is quadruple of that the previous year as it ramps up on programmes supporting independent vulnerability research.
To be clear, not all bounties offer exorbitantly high payouts, although it is on the rise. According to HackerOne, the median price of a critical bug rose 20% from US$2,500 to US$3,000 in 2021. The average bounty price for a critical bug also rose by 13% and by 30% for a high severity-rated bug.
Microsoft, for example, has an ongoing Microsoft Hyper-V bounty programme, which offers rewards ranging from US$5,000 to US$250,000. The programme aims to find vulnerabilities in its hardware virtualisation product, Hyper-V, that affect server hosting scenarios such as Azure.
Leveraging an external set of eyes
There are many types of vulnerabilities that ethical hackers can find when assessing a company’s systems and networks. According to HackerOne, the top three vulnerabilities include cross-site scripting in which malicious scripts are injected into trusted websites; information disclosure wherein sensitive information is unintentionally revealed to users and improper access control as a software fails to restrict access.
Why do companies need external resources to examine their systems and networks to begin with? Lew shares that on top of relying on their own internal resources, organisations typically conduct their vulnerability assessments by engaging external cybersecurity consultants to do penetration tests. Usually, this is done on a scheduled basis of around once or twice per year.
“However, cybersecurity issues do not
happen once a year. Black hat hackers can attack all year round, which means there is always an impending risk that companies are bearing. Running a bug bounty programme mitigates this risk,” he says.
Companies also run bug bounty programmes to engage the skills of a pool of cybersecurity professionals, making it a better alternative to hiring a small party from one private cybersecurity firm. “Instead of having two to three experts, bug bounties can be participated by more than 100 people. Additionally, companies only need to pay on a successful basis, so they don’t have to pay anyone in advance. This is especially beneficial for smaller companies, which may not have a large cash flow,” he highlights.
Many bug bounty hunters are also creative and actively pushing the boundaries, says Frederick Fung, chairman of the Association of Crypto Currency Enterprises and Starts-ups Singapore (ACCESS). They can find new angles of possible system vulnerabilities that the internal teams or organisations may not be aware of.
He adds that more cyberattacks have been targeting fintech firms over the past few years. These firms typically have small available resources while handling large customer transactions, on top of handling large amounts of invaluable customer personal data that may be very attractive to hackers with malicious intentions.
Deeper into the fintech space, there is a rising number of blockchain and cryptocurrency-related companies becoming victims of cyberattacks that led to increasing amounts of monies being syphoned out. Fung cites the recent case of crypto gaming giant Axie Infinity, which suffered the largest crypto heist to date.
On March 29, Axie Infinity found that its Ethereum-linked sidechain — which is a separate blockchain network — was exploited for 173,000 ETH and US$25.5 million worth of stablecoin USDC. The hack totalled US$625 million, making it the largest decentralised finance (DeFi) hack ever recorded, surpassing Poly Network’s US$602 million exploit in September 2021.
“As the value at stake is high, it definitely makes sense for companies within the industry to further invest in cybersecurity and run bug bounty programmes to identify their vulnerabilities. Let’s consider the return on investment. In DeFi, we count by total value locked (TVL) inside the ecosystem. Black hat hackers can steal the entire US$100 million TVL, or the company could reward 1% of the TVL to incentivise ethical hackers. Which makes more financial sense?” explains Fung.
Acknowledging talent shortage
The number of bounty hunters has increased over the years. HackerOne found that in 2020, the number of white hat hackers who found security vulnerabilities increased 63% y-o-y. Aside from the monetary rewards, those hackers are also looking to benefit from the hands-on experience and skills recognition, opening them up to better career opportunities.
The growing pool of bounty hunters also means a stiffer competition. As bug bounties are typically open to ethical hackers globally, some may never be successfully compensated for rewards, shares Fung, citing his personal experience. This is why it is quite challenging to turn independent bug bounty hunting into a full-time job.
“Right now, established companies are already following standard security practices and doing their own penetration tests. There are also automated scanning tools that can do a quick check on common vulnerabilities that companies may be exposed to. Unless the hackers are security researchers attached to a research institute, I think it’s very difficult to bounty hunt full-time,” says Fung.
Lew concurs, adding that there is no reason for companies to limit their bug bounty programmes to certain geographical locations. “The spirit of bug bounty is that it can be participated by hackers from all walks of life, with varying degrees of skill and expertise. [This is because] even the most skilled hacker sometimes can’t find a bug that a junior hacker is able to.”
While the increasing number of ethical hackers hunting for bugs is encouraging, the cybersecurity industry is still struggling with the lack of talents. Despite an influx of 700,000 professionals into the cybersecurity workforce, the global demand for cybersecurity professionals continues to outpace supply, resulting in the cybersecurity workplace gap, the International Information System Security Certification Consortium found in its 2021 study.
While all areas of cybersecurity are affected by the talent shortage, the top-cited categories of highest need were Securely Provision at 48%, followed by Analyse, and Protect and Defend — each with 47% of study participants saying they need more staff in these areas
Singapore itself is facing an estimated talent shortage of up to 3,400 cybersecurity professionals in 2020, according to the Cyber Security Agency of Singapore. While the Singapore government has done a lot in trying to make cybersecurity more attractive to the younger generation, Fung says it is a challenging feat as there are not a lot of talents in the computer science space to begin with. “Currently, there has been more emphasis and incentives placed to attract the younger generation to computer science, such as education grants and hackathons. Hopefully, we will see an ease in cyber security talent shortage,” he adds.
To note, Singapore’s Government Technology Agency (GovTech) launched its seasonal Government Bug Bounty Programmes (GBBP) in December 2018. More than 1,000 local and international white hat hackers have participated in four GBBP iterations, with over 100 valid vulnerabilities reported and US$100,000 paid out to participants.
The Singapore government has also introduced the Vulnerability Rewards Programme (VRP) and Vulnerability Disclosure Programme (VDP). VRP is a continuous operation open to all registered HackerOne white hat hackers who have achieved HackerOne Clear status. Rewards can range from US$250 to US$5,000 depending on the severity of the discovered vulnerability, while a special bounty of up to US$150,000 is offered for critical vulnerabilities that could cause an exceptional impact on selected systems and data.
Meanwhile, VDP is open to all members of the public. While it does not involve any monetary rewards, validated vulnerabilities under the VDP will be rewarded with HackerOne reputation points. As at March 2021, more than 400 valid vulnerabilities have been reported under the VDP.
Running a successful bug bounty programme
How can companies run a successful bug bounty programme? To start, it is important for them to outline their structure very clearly, asserts Fung. For instance, they should clearly state what constitutes a bug and what does not, aside from outlining a scope that defines what systems a hacker can test and how a test is conducted.
Aside from setting a competitive bounty, companies will also need to decide if they require participants to reveal their identities. “If companies want the bug bounty participants to be fully vetted to protect their systems, they might be losing out on highly skilled hackers who prefer to be anonymous. It is a very delicate balance,” Lew explains.
Typically, companies that do bug bounty programmes with platforms such as HackerOne or Immunefi — the leading bug bounty platform in the Web 3.0 space — will be guided with a more structured process, says Fung.
After the bugs have been validated and bounty hunters are paid, companies will then need to proceed with remedying the vulnerabilities. Many companies may choose to be opaque with this process, not wanting the public to be aware of the bugs found in their network and systems.
However, Fung advises companies to be transparent about the bugs found and the steps taken to patch or fix the vulnerabilities if the issue is not too confidential and damaging to the company.
“Companies can release a report on how they were hacked and encourage the community to learn from their experience. If another company uses the same service that [is vulnerable to cyberattacks], for instance, it can patch its systems to avoid the same issue from happening. This promotes a much healthier ecosystem for all,” he says.