The Bug Bounty Business: How Solution Providers Are Cashing In

Crowdsourced security vulnerability testing was a completely uncharted business opportunity for the channel as recently as four years ago. But where other solution providers saw a competitive threat to the services they already provide, NCC Group saw an opening.

The Manchester, England-based information security assessment and consulting firm is the first solution provider to offer services to help customers establish their own bug bounty programs. Software companies and other businesses use bug bounty programs to compensate outsiders for uncovering and reporting flaws in their hardware or applications. After enjoying some early success, NCC — which has 11 offices in North America — broke out its bug bounty activities into a separate practice in 2015.

Today, the 2,000-employee company brings in millions of dollars in revenue each year by providing consulting, scoping, triage and remediation services for customers that have launched bug bounty programs. The net financial impact of NCC's services is almost incalculable, given that it is helping customers uncover hard-to-find security vulnerabilities and fixing them before those customers become the next big breach headline-maker like Equifax or Sony.

[Related: The 25 Tech Bug Bounty Programs With The Biggest Payouts]

One of NCC's enterprise software customers leveraged a bug bounty program to discover a flaw in its payments API. This bug report revealed that the customer's validation process failed to ensure the account number provided to the API in the final step of the payment process was a real account number, said NCC.

Hackers could have exploited the flaw to supply their own account numbers, which would have resulted in the customer's account appearing to be properly paid, when in reality the funds would be transferred to the hacker's account, a scenario NCC's customer was happy to have avoided in exchange for a $5,000 bounty to the intrepid bug hunter.

"It's all about transitioning clients from fear of vulnerabilities to embracing security vulnerabilities, and helping them understand that there are already bad people looking at their products and not telling them," said Adam Ruddermann, who joined NCC in late 2017 from Facebook, where he led the social media giant's bug bounty program. "It's way better to have that knowledge and insight and be aware of what's really happening out there."

As part of NCC's managed bug bounty service, Ruddermann meets with senior management, product managers and public relations to help them understand what it's like to work with security researchers. NCC also walks the customer through the life cycle of a bug to prepare them from an operations standpoint, he said.

NCC's internal security team, meanwhile, goes through the customer's product in detail to understand it better and capture any issues the customer already knows about, Ruddermann said. The company also examines the history of the product's security architecture so that NCC can better understand what it's looking at when doing triage work.

The core of NCC's managed bug bounty offering is its triage service, which Ruddermann said is focused on determining whether a submitted vulnerability is a misunderstanding of the product, something that's mitigated elsewhere, or a legitimate security flaw. Some foreign researchers also struggle with creating a technical write-up in English, so NCC can help figure out what the researcher is getting at.

From there, Ruddermann said NCC ensures it knows how to properly execute the vulnerability so that the company can fix it correctly. Finally, he said NCC completely rewrites the vulnerability report, providing more details on reproduction steps so that it's easier for a product team not familiar with security tools to re-create the bug.

A look at some of the companies providing platforms on which to run bug bounty programs shows that the industry has hit an inflection point. One such platform, HackerOne, has paid out $23 million in bounties as of early 2018, up from $10 million two years earlier, with the number of registered users on the platform skyrocketing ten-fold during that time.

Competing platform Bugcrowd has paid out $6.4 million to security researchers as of 2017, up 211 percent from a year earlier. The number of hackers on the platform has nearly doubled from 26,800 to 53,300 during that time.

The opportunity to crowdsource the spotting of security bugs comes as the cost of exploited vulnerabilities continues to rise. The average financial impact of a data breach in North America in 2017 was $1.3 million for enterprises and $117,000 for SMBs with 50 or more employees, according to a Kaspersky Lab survey, up markedly from $620,000 for enterprises and $46,000 for SMBs in 2015.

Putting Meltdown And Spectre In The Spotlight

Bug bounty programs are nearly as old as the internet itself. Netscape launched the first-ever "bugs bounty" all the way back in October 1995 when it debuted the beta version of Netscape Navigator 2.0, offering cash prizes to users that reported significant security issues and Netscape merchandise to users finding any security flaws whatsoever.

But it wasn't until the early 2010s that bug bounties really started to gain traction as companies like Microsoft, Google, Facebook and Mozilla rolled out programs of their own. The industry hit more milestones in March 2017 as Google increased its bounty awards by 50 percent, Microsoft doubled its top bounty award, and Intel started paying researchers $30,000 for spotting critical hardware flaws.

Nine months after Intel established its bug bounty program, a team of security researchers from Austria's Graz University of Technology reached out to the Santa Clara, Calif.-based semiconductor giant and let it know that they had found a design-level flaw in its chips that could slow down almost every processor in the world.

The vulnerabilities — which had also been found independently months earlier by Jann Horn from Google Project Zero — became known to the world in January 2018 as Meltdown and Spectre and are found in chips from other vendors such as IBM and ARM as well. Intel awarded the researchers a bug bounty for abiding by responsible disclosure guidelines and not revealing the issue prematurely, although it became public earlier than expected after it was reported by several media outlets.

Six weeks after Meltdown and Spectre came to light, Intel said it was raising its bounty awards across the board and launching a new, limited-time program focused specifically on side-channel vulnerabilities. The side-channel program will run until Dec. 31 and offer awards of up to $250,000 for critical issues.

In addition, the top reward in the regular bug bounty program (for critical hardware flaws) was increased from $30,000 to $100,000. Maximum awards for identifying firmware or hardware vulnerabilities in the regular program — regardless of the bug's severity — have at least doubled, and often tripled.

"We believe these changes will enable us to more broadly engage the security research community, and provide better incentives for coordinated response and disclosure that help protect our customers and their data," Rick Echevarria, Intel's vice president and general manager of platform security, said in a Feb. 14 blog post.

Why Pay For Bug Reports?

Companies without a formal vulnerability disclosure policy often remain in the dark about known flaws in their architecture, with nearly one in four hackers not reporting a vulnerability they've found due in part to fear of reprisal for conducting unauthorized testing on a company's products. And if they do end up reaching out, they might do so through a suboptimal method such as a LinkedIn post or public Tweet.

"It's super-undesirable, because it's visible to the whole world," said Michiel Prins, co-founder of HackerOne, San Francisco. "These things happen if there's no process in place."

Vulnerability disclosure programs are therefore becoming accepted as an industry best practice, and are today recommended by everyone from the U.S. Department of Defense to the Food and Drug Administration.

In fact, one of the Senate's first questions to Equifax following its disclosure of a massive data breach was, "Do you have a vulnerability disclosure program?" said Casey Ellis, founder, chairman and CTO of Bugcrowd, which partners with VARs, systems integrators, managed security service providers and security consultants to provide greater access to the company's offering.

But despite the regulatory guidance, HackerOne has found that just 6 percent of the Forbes Global 2000 companies have a known vulnerability disclosure policy. Still, there are signs of progress, with the share of bug bounty programs from industries other than technology climbing from 28 percent in 2014 to 41 percent in 2016 as more government, media, banking and e-commerce players establish programs.

Bug bounties weren't on the radar of San Antonio-based Denim Group or its customers as recently as 18 months ago. Today, bug bounty-related services account for roughly 5 percent of Denim Group's security revenue.

"It's not yet a significant portion of our business, but it's growing quickly," said Dan Cornell, principal and CTO of the software security advisory company. "It's something that is very interesting to us."

Denim Group's differentiator is fully understanding where a bug bounty program fits into the customer's overall security strategy, Cornell said. As a result, Cornell said Denim Group can effectively determine on a customer-specific basis which security issues should be addressed through threat modeling or internal penetration testing and which should be sent out to the broader researcher community via bug bounty.

Cornell also has tasked some of his team with evaluating and providing context around the vulnerabilities being reported through HackerOne and Bugcrowd. Denim Group doesn't have a dedicated bug bounty practice today, but Cornell said that could certainly change in the next year or two.

"Even with the stuff the bug bounty providers are doing, we've found that a number of organizations still need additional support on top of that in order to provide appropriate context and vetting of the reports that are coming in," Cornell said.

Solution providers can help with sorting the wheat from the chaff, as roughly 30 percent of reports provided through HackerOne's public bug bounty programs in 2017 were marked as spam, not applicable, or something of a similar nature. Plus, vulnerability submissions as a whole have been on the rise, with a 67 percent increase in reports made through the Bugcrowd platform between 2016 and 2017.