Crowdsourced Cybersecurity: Hunting for Bugs

No matter how long a company works on a piece of software or online service, no matter how many rounds of internal quality assurance (QA) and testing it goes through, some vulnerabilities, glitches, flaws, or bugs can survive to reach the end user. To help track them down after release, it has become increasing common for companies, particularly in the software arena, to invite the hacking community to uncover and report those flaws with the promise that, in exchange for what they find, the companies will provide them a tangible monetary reward, amounting to a "bug bounty."

Bug hunters, assemble.

This approach to finding flaws is referred to as "crowdsourced cybersecurity." According to Ashish Gupta, CEO and president of Bugcrowd, which describes itself on its website as the "#1 Crowdsourced Cybersecurity Platform," crowdsourced cybersecurity "can help fill gaps within an organization's internal security team, as many companies still struggle with the lack of available security talent."

Bugcrowd is one of about 20 companies that recruit freelance teams of what they call "ethical hackers" to do the hunting for organizations who can't, or don't want to, set up such a program themselves. Other companies, especially large firms in the technology field, run their own.

A list compiled by review site VPN Mentor includes more than 700 bug bounty programs of both sorts active as of August 2021. The list ranges from Dutch bank ABN Amro to gaming company Zygna, and the rewards available are substantial. According to a list from online learning site Guru99, Intel will pay up to $30,000 for the detection of a critical bug, while Apple offers a bounty of $200,000 for security issues affecting its firmware. Starbucks will pay $4,000 for the identification of malicious activity in its Web and mobile applications.

The idea of letting a group of strangers try to find flaws in a product ran into resistance initially from companies accustomed to keeping a lid on information about security vulnerabilities. "I think that 10 years ago, this was definitely something that caused points of tension in the industry writ large," says Kaylin Trychon, security communications manager at Google. "Back in the day, I think it was a scary thing for some organizations; 'what are they going to find?'"

Mark Kuhr, CTO and cofounder of crowdsourced security platform Synack, recalls, "When we started the company back in 2013, crowdsourced testing with ethical hackers was a radically new concept that freaked out many executives. But crowdsourced testing isn't just more commonplace today; it's an industry best practice and an integral part of many companies' security programs."

Google goes all in on the hunt.

Google was on board with the crowdsourced security idea relatively early, establishing its first Vulnerability Rewards Program (VRP) in 2011. Since then, the company has awarded bounties totaling nearly $30 million to more than 2,000 researchers in 84 different countries, representing more than 11,000 bugs found.

Until this year, Google's VRPs were each run by its separate departments (Google, Android, Abuse, Chrome, and Play). In July, on the VRPs' 10th anniversary, the company brought all its programs together in a single Bug Hunters platform that provides a single intake form for reporting issues in all its products, and features reports on some recently found bugs.

The site also points prospective hunters towards some "low-hanging fruit" that the company encourages people to investigate. Among these are new products, such as the dashboard for the Google Apps Script editor, and products from new acquisitions by Google or its parent Alphabet. "Targets are added so that people also know what's newly eligible and can look at things that are bit fresher than some of the longstanding services," says Dirk Göhmann, a technical writer for Bug Hunter University. "One relatively recent addition was the stuff around Verily, a part of the Alphabet corporation that's newly qualified for the VRP."

Before launching the new platform, the VRP teams solicited feedback from the bug-hunting community about what they'd like to see on the site. "A leaderboard was one of the things that they mentioned that they would love to see," says Trychon, so the site has a page highlighting what it calls the "Bug Hunter A-listers," ranked by total rewards earned. The leaderboard lets the hunters see how they stack up against their peers in a sort of gamified competitive environment.

Bug Hunter U

Another new element of the Bug Hunters platform is an education component, Bug Hunter University (BHU).  "The real motivation behind it was that a lot of bug hunters report vulnerabilities and invest a lot of time, and they're very disappointed if the reports get rejected," explains Göhmann. "One of the goals of the university is to be transparent about the criteria that Google's applying—what kind of issues are relevant, and especially which ones aren't relevant—so that they can get on the right track."

"It's also for experienced bug hunters who maybe want to learn about a different tactic or a way to do something that they haven't tried before," adds Trychon. "So it's not just for beginners, it's also for intermediate and even expert bug hunters who are always learning, always iterating."

The BHU page offers suggestions on how to improve reports and how best to submit them, and also outlines the kinds of reports that would likely be considered invalid, such as reports of common SSL/TLS vulnerabilities for which mitigation measures are already in place. These pieces of advice are often accompanied by video demonstrations, and the plan is to roll out more of those. "We're working with external security researchers, YouTubers, who are turning the most important ones into videos," explains Göhmann. "Some people don't like reading articles but will watch a video. We want to enable people to publicize their reports, so others can see what other people have reported and see how Google has rewarded or not rewarded them."

Successful bug hunters reap more than monetary benefits from publicizing their activities, Trychon and Göhmann say. Hunters have been known to highlight their position on the leaderboard on their resumes. "Being on the Google leaderboard shows they found things that have been recognized," Göhmann says.

Kuhr has seen the same pride in a successful hunt among the hackers with whom his company works. "Claiming one of our bounties is a badge of honor in the research community," he says. "It sends a strong signal about their technical prowess and their work ethic. It's really something our community of hackers are proud to promote."

From Kuhr's perspective, Google's growing attention to crowdsourced security is all to the good. "The more people working to find and fix vulnerabilities, the better off we'll be," he says.

In addition, says Kuhr, "We also have a cybersecurity skills shortage. There simply aren't enough people doing the work today. Hopefully, Google helps teach more people how to hack for good and can begin filling the talent pipeline with skilled researchers and technologists better equipped to handle today's cybersecurity risks."

Jake Widman is a San Francisco, CA-based freelance writer focusing on connected devices, Smart Homes and Cities, Extended Reality, and other emerging technologies.