There is a vocal group within the pentesting community that is speaking out against the bug bounty industry, and if you’re familiar with the controversy around Uber the complaints might sound familiar.
Some of the charges that frequently come up are:
- Bug bounties are exploitative of bounty hunters
- Bug bounties are bad for traditional pentesters
- Bug bounties don’t allow for a fixed cost for vulnerabilities
Let’s take each of these individually.
Claim 1: Bug Bounties are exploitative of bounty hunters
As with Uber and similar ride-sharing services, bug bounty companies have a contractor-like model. The bounty hunters are not employees of the companies running the bug bounties. They’re just users registered within the platform that have signed up to perform work when it becomes available.
[ NOTE: This article refers to bug bounty companies, not to companies that run their own bug bounties. ]
So the question is whether those bounty hunters in the system are being exploited—presumably because they could have gotten a real penetration testing job and all it’s associated benefits.
This is another analog to the ride-sharing industry, but there’s a key difference: The entire world can’t become Uber drivers in Manhattan, but the entire world can find bugs in a public bounty (assuming they have the skills and a computer).
That’s a critical difference in this ethical question. With bug bounties people are able to earn money anywhere in the world finding security vulnerabilities when they are unlikely to find a job with a traditional pentesting company. This could be because they don’t speak a certain language well, or they have no traditional education or certifications.
The next question from there is the following:
Well, fine, it helps people…but why not hire them as regular employees instead of exploiting them as contractors?
This is basically the reason Uber is in court. The charge is that Uber is exploiting people, and ultimately harming the economy and the middle class in general, by not offering its workforce the benefits of employment.
Their answer is that it’s a tradeoff. It’s true you don’t get benefits, but it’s also true that you get to work whenever you want to, which you don’t get to do in traditional worker / employer relationships.
And in many ways it’s the same conversation with bug hunters. If a hunter were to be employed by one company they’d likely have a lot of restrictions placed on them&mdadh;not the least of which would be that the hunter couldn’t do bounties for competing companies. And that would be a problem. Most hunters work for many services simultaneously, and they enjoy that flexibility.
But this is ignoring the biggest reason why Uber can’t just hire all the drivers, and why bug bounty companies can’t just hire all the hunters: it’d be really bad for the business—perhaps to the point of being unsustainable.
It’d be taking on incredible overhead and risk, and managing the employees would become so much of the businesses focus that it’d likely struggle to continue innovating. Keep in mind I’m not saying this is good or bad; I’m just saying it seems to be the reality.
Claim 2: Bug Bounties are bad for traditional penetration testers
The next claim comes from penetration testers that are seeing the ground shift below them. This is often from established veterans who have seen some of their standard work go to bounties.
I think a lot of this is simply a standard, expected response to change—especially when that change impacts you in some negative way. Taxi drivers don’t like Uber, and average pentesters don’t like bug bounties.
But I think elite pentesters, and pentesting companies, have less to worry about. The analog there would be private car services that provide service levels far beyond what taxis (and Uber) can provide. They will only lose a small subset of their work to the newcomers, while the average pentester or pentesting service will see far more impact.
And maybe that’s ok.
Maybe it’s ok for people in largely poor countries (who usually can’t get posh pentesting jobs with great benefits) to get some of the business that was going to the old system.
This is especially true if they’re producing decent results for less money, and what I know of the industry tells me that they are. It could simply be that there are many average pentesters out there, producing average results. We know this to be true by definition. And it could be that they’re a bit too comfortable with their high pay and relatively low bar for output. The difference between an average pentester and an elite one is tremendous.
So we might simply have a case of, “Get off my lawn.”, which I’m ok with if it’s helping customers get better results and talented security people around the world make some money from their skills.
Claim 3: There is no standardized value for vulnerabilities
This one I don’t get, and I’m not even sure how it’s an attack against the bug bounty industry.
Vulnerabilities don’t have constant values because very few things do. And in technology this truth is magnified tenfold. Vulns have value based on two main things: 1) How hard it is to find them, and 2) How much impact it’d cause if they were exploited.
How hard it is to find a given bug depends on a lot of things.
- How many people are looking
- How much skill it takes to find the bug
- How many instances of that bug actually exist
And how much impact exploitation would have depends basically on the technology involved, which is also changing constantly.
And then the price paid per bug fluctuates according to these numbers. But it’s not like there’s a chart somewhere that lists prices for vulnerabilities. Most of these factors listed above vary according to micro-climates and micro-economies.
But getting back to the question: which of these do bug bounty companies affect?
- How many people are looking
Bug bounties basically get more eyes on the problem, which in turn helps those additional eyes (who are often largely excluded from the global economy) make some money.
I don’t see a problem with that. It’s not like the world doesn’t need help in this regard. There are far too many bugs and far too few security testers.
Analysis and summary
So here are my thoughts and takeaways:
- Right now bug bounty companies are helping global bug hunters rather than hurting them. We’re largely talking about people who don’t have many other legitimate ways to make money, so getting paid to find vulnerabilities is a net gain for them. This could change in the future as their situations improve, but right now it seems to be a net-positive
- It’s true that the low to middle tier of penetration testers may experience a squeeze as the result of tens of thousands of eager and competent people being injected into their previously restricted space. But that’s a good thing. Pentesters have enjoyed the advantage of being special magicians for too long, and it’d be a good thing to have a little pressure applied to them. The top 10% will barely notice the shift, and if it takes out the bottom 10% we’ll call that a win
- The only way bug bounty companies affect the value of bugs is by finding them faster through greater numbers, and I don’t see an ethical way to argue that this is a bad thing
I for one welcome the masses to the testing space. We’re glad to have you.
- Full disclosure: I work for IOActive, which is in my opinion the best security services organization in the world. We embrace bug bounty companies because 1) the world needs as much help as it can get, and 2) when you’re good at what you do you don’t see competition as a threat. The more the merrier in our opinion.