An Examination of the Bug Bounty Marketplace

Here’s a fascinating report: “Bounty Everything: Hackers and the Making of the Global Bug Marketplace.” From a summary:

…researchers Ryan Ellis and Yuan Stevens provide a window into the working lives of hackers who participate in “bug bounty” programs­ — programs that hire hackers to discover and report bugs or other vulnerabilities in their systems. This report illuminates the risks and insecurities for hackers as gig workers, and how bounty programs rely on vulnerable workers to fix their vulnerable systems.

Ellis and Stevens’s research offers a historical overview of bounty programs and an analysis of contemporary bug bounty platforms — ­the new intermediaries that now structure the vast majority of bounty work. The report draws directly from interviews with hackers, who recount that bounty programs seem willing to integrate a diverse workforce in their practices, but only on terms that deny them the job security and access enjoyed by core security workforces. These inequities go far beyond the difference experienced by temporary and permanent employees at companies such as Google and Apple, contend the authors. The global bug bounty workforce is doing piecework — they are paid for each bug, and the conditions under which a bug is paid vary greatly from one company to the next.

Posted on January 17, 2022 at 6:16 AM22 Comments

Comments

Ted January 17, 2022 8:54 AM

Yeah, it’s interesting that many of these bug bounty hackers are young. The reports says that 70% of the hackers at Bugcrowd are under 30. At HackerOne close to 50% of hackers are under 24.

HackerOne also says that the majority of their hackers, 89%, are based outside the US. In 2019, India accounted for 12% of registered hackers, while 11% were based in the US.

One researcher reported he believed companies were at least if not more worried about bugs that affected their business positions rather than just user privacy.

I wonder what these hackers, or security researchers, do as they get older? In the meantime, I hope this research keeps them out of the cryptocurrency markets.

Erdem Memisyazici January 17, 2022 9:45 AM

@Ted
“Yeah, it’s interesting that many of these bug bounty hackers are young. The reports says that 70% of the hackers at Bugcrowd are under 30. At HackerOne close to 50% of hackers are under 24.”

The whole thing grew out of numerous conditions one of which involves decisions made by law enforcement. You’d be surprised how many stories I’ve read involving a “freelance-hacker” meeting legal consequences for trying to report bugs. One gave up $50k and went public because of how ridiculous the binding terms were.

A tax lawyer finds a loophole in the law. Elsewhere a “hacker” finds a logical flaw in code.

Erdem Memisyazici January 17, 2022 10:36 AM

When I was 8 I literally could get away with hacking in Turkey. The Internet was not what it is now. There was no record of a hacker who uses a payphone to dial-up, because there were no cameras on every street corner either. Yet today we have programs for “young offenders” to be effectively groomed into an entirely broken industry based upon selling bad software for the access it provides.

https://www.bbc.com/news/technology-40629887

Young people need to be told about Quantum, how all of the Internet is recorded and stored forever and that they are not anonymous. We are giving them the sense that they can get away with it, but no, by design it’s impossible and we are abusing that lack of knowledge in my humble opinion.

Jon January 17, 2022 10:58 AM

So, Task Rabbit has been weaponized?

There’s no reason that the platform shouldn’t or won’t seek the largest payday for each hack.

“We’ve got three Zero-Day exploits for MS Teams root (insert favorite high value target). Who will open the bidding?”

Clive Robinson January 17, 2022 1:57 PM

@ Jon, ALL,

So, Task Rabbit has been weaponized?

So it would at first sight appear.

But whilst,

“Task Rabbit”[1] is seen as “home help on a leash” it has a darker side.

Which with much of the work starting at the “Humpers and dumpers” of “White-Van with man” through basic “DIY4U”, it is to many a glorified “Card in the shop window” system. That is you are paying for physical labour with low or semi-trade skills doing physical tasks in a predictable way.

But they became effectively “Gang masters” supplying teams and taking more than 1/4 “off the top”, which is both “To little and To much” where a business thinks it gets a good deal and the humper and dumper steady work. In essence the teams are not likely to be as specialised as required and the zero hours contract worker will be “held in place” as well as picking up all the risk.

But “thoughtfull work” such as finding exploits is very unstable work and almost like crypto-coin mining in the way it pays-back work.

I’ve gone through this before, but consider it’s a “Winner takes all” or “First Past The Post” system. You could spend a decade “just missing” and get one “Pay-day” even though you put in well over 80hours a week for 500 weeks or and not only do you have to pay-back for time spent, you have to pay-forward to keep going. So to make it worth while you’ld be looking to cover upto 85,000 hours of work at what you would consider a 2,000hours/year salary. So if the low end industry average is $150,000/year then that “pay-day” is going to need to be north of $6million…

Which we all know it is not, hence the oddeties in the smarter workers behaviour in that trade’s workforce.

Now you can just see the psychopaths lining up to get a slice of that action as they likrs of NSO and similar have shown. They are going to want “auction house” deals. Basically 20% buyers premium, 25% auction fee. Or for each million of successfull bid price (were the bidder pays 1.2m and the seller gets 0.75m) on that 6million payday they are going for $2.7million into their pocket, whilst the seller only gets 4.5million and all the taxes have to come out of that.

You can see why being at the bottom of that pyramid is already an explotation level few of us would tollerate.

But… We know it’s already happening.

[1] What can you say about “Task Rabbit” that’s not been said about Uber or the delivery side of Amazon? It is basically someone trying to put a layer of exploitation in over a traditional “Help Wanted” type card in the window service and thereby hope to control the market at a significant percentage by offering an illusion of something more that is realy not there.

It’s now owened by that Swedish Flat-Pack furniture purveyor “Ikea” who I’m often told –mainly by women– make impossible to assemble kits (personally I’ve never had any trouble with them). But there are a lot of people who pay for such things to be assembled for them in the Western World so I guess Ikea could see the potential of “doing an Uber” on the market..

Ted January 17, 2022 5:29 PM

@Erdem Memisyazici

NCA’s ‘rehab’ program to divert young criminally-leaning hackers to more constructive paths sounds like a good investment. I wonder how it’s turned out. Moving those curious minds to areas like forensic analysis and pen testing seem like better long-term strategies for everyone involved.

From the report it does sound like bug bounty hackers can still find themselves in unmarked legal territory. The authors mention a website https://disclose.io/ that offers a database of bug bounty programs where you can also search to see the status of a program’s safe harbor provisions.

Warren January 17, 2022 7:38 PM

Seems like software companies should recognize that it’s in their best intest to treat hackers a little better when they find and report bugs in a responsible manner. If they aren’t treated well, there are other, darker ways they could monetize their skills. Oops! … Is this already happening?

John Kahler January 17, 2022 7:55 PM

@Clive Robinson
It’s now owened by that Swedish Flat-Pack furniture purveyor “Ikea” who I’m often told –mainly by women– make impossible to assemble kits

I always heard that the English translation of Ikea is “How does this f’ing thing go together?”

Erdem Memisyazici January 17, 2022 8:04 PM

@Ted

I doubt those criminally leaning youth would actually attempt hacking if they knew there was 0% chance they would not be caught.

Erdem Memisyazici January 17, 2022 8:13 PM

@SpaceLifeForm

From what I understand “top” companies keep 0-days to themselves and sell their capability to access any device to anybody with the money.

Open source tends to get infiltrated by contributors who are actually working for those top companies.

Point being broken software is the current security business model, nobody is really interested in flawless code everywhere except for people who work on RFCs and the like.

SmartCo January 17, 2022 9:04 PM

A smart software company would setup bug bounty program that pays the bug finder the same rate as it pays in-house web dev for one month’s salary.

If really wants to motivate in-house devs to avoid-find-fix their own mistakes, also take the funds from their paycheck-annual-raise.

Ted January 17, 2022 9:41 PM

It’s wild that the US Department of Defense had better luck with bug bounty programs than they did with pen testing contracts.

The pilot bug bounty program for the DoD (“Hack the Pentagon”) cost $150,000 and produced 138 actionable reports in the first 24 days, according to interviews from this report. Previous pen testing contracts had cost “infinitely more than… $150,000” and produced maybe 10 reports that sometimes lacked the actionable detail that was provided through the bug bounty reports.

As you probably saw, this report said it did not cover the “offensive market” where bugs are sold and turned into exploits and attacks.

ResearcherZero January 17, 2022 11:00 PM

@Ted

It doesn’t surprise me DoD had more success with bug bounty, as the younger crowd keep up to date with techniques and developments. It also meets all the check boxes for the target based, business driven model of the Pentagon

Clive Robinson January 18, 2022 4:33 AM

@ John Kahler,

I always heard that…

+1

And a much needed smile on this cold and frosty London morning.

Clive Robinson January 18, 2022 4:54 AM

@ SmartCo,

A smart software company would setup bug bounty program that pays the bug finder the same rate as it pays in-house web dev for one month’s salary.

If you look back on this blog, you will find I mentioned I did something similar at a company I worked at once.

It works if done right, but is easy to get wrong and hard to stop certain unethical behaviour. Importantly it must only ever be used as a reward process not a punishment process. Further the reward in an “in-house” system should not be to large, otherwise it encorages imbalance in what people do.

Which brings about a very very awkward question. In a developer role you have the folloing too ellements,

1, Write code
2, Find fault with code.

We know that the first has a high defect rate and importantly rate range that we do not know the causes of. However even with defects it does provide a return.

The second is like “defence” one of those sunk costs that may not pay off, but might.

So you have the question of how much time should be spent on each element…

There is no easy answer and both have “hidden” advantages that are not easy to quantify.

It’s why trying to justify such a system to managment can be a very hard sell (and why should be described as a moral or team building technique that has a competative ellement).

Anders January 18, 2022 9:59 AM

@ALL

In light of that report is also time to “revisit”, how the
“high-end” market (=govt) works:

hxxps://i.blackhat.com/USA-19/Wednesday/us-19-Shwartz-Selling-0-Days-To-Governments-And-Offensive-Security-Companies.pdf

Jesse Thompson January 18, 2022 3:37 PM

@Clive Robinson

1, Write code
2, Find fault with code.

So what happens if you pay internal bounties, but only for fault found in code that coder was not responsible for writing in the first place?

It’s one thing if a person sandbags their own code to try to bleed bounties off of later premeditated refinements, but sandbagging one’s own code to “sell” easy hacks to colleagues who can turn around and get a bounty at a net profit actually opens up more cans of more worms that work against the erstwhile reward hacking.

1, If you aren’t being directly compensated to debug your own code (because that’s kind of your job to begin with) but your performance reviews still pivot on how many bugs are found by others (colleagues or outsiders) post-release, then when you manufacture and sell easy to cash-in bugs to colleagues you are also directly selling off pieces of your tenure.

2, Writing good code that does as it’s client needs it to is hard. Adding manufactured defects is harder: which is to say not-intended defects are both more likely to crop up and will be easier for those who find the manufactured ones to find as a side-effect. So somebody who puts 1 bug in their code is liable to have at least a dozen more bugs found against them than they would if they hadn’t tried to pull that stunt.

3, So the safer market than selling bug options to colleagues would instead be to pay colleagues (or buy a beer for, or trade favors, compensate in whatever manners the context makes most pallateable) to help you have an extra set of eyes on debugging your project prior to release.

JonKnowsNothing January 18, 2022 5:26 PM

@Jesse Thompson, @Clive, @All

re:


1, Write code
2, Find fault with code.

So what happens if you pay internal bounties, but only for fault found in code that coder was not responsible for writing in the first place?

There is a group charged with doing this: It’s called QA. They are supposed to test the functionality of all code and normally run regression tests to make sure stuff doesn’t break.

If you have ever peeked into the size of a bug database for even a medium size company you will have no trouble at all at finding bugs. Bugs by the thousands. The majority of them will never be fixed.

There is a clash between different resources and desired outcome.

1) Time to Market stops Functional Testing
2) Time to Fix loses to Hard Submit Deadlines
3) HotFix ends Regression

The Bug Bounties are designed or intended to find logic errors and coding faults that no one internally is given time to look for.

Bug databases are full of corner case and edge cases where logic faults and program design faults lurk waiting for exploit. They maybe documented but few will be addressed because the Fix is Not Possible in the context of the way things currently work.

Getting someone to spend a lot of “unpaid time” in hopes of a “one time payout” that will “never happen” is the subject of movies and Silicon Valley Stock Options.

===
Search Terms: They Shoot Horses, Don’t They?

Clive Robinson January 18, 2022 9:05 PM

@

There is a group charged with doing this: It’s called QA.

And there is another group : It’s called Code Review.

And hidden within the Scrum there is as the song says,

“that subtle w horing that costs to much to be free”

And it’s not just corner and edge cases that lurk in the various “Bugfix DBs” there are those “lesser features” and “unfinished features” with closed code stubs that hide a gorgons scalp nightmare of wrything threads, that in theory the tool chain crops as “unused”…

But what of those who develop the code in the first place, some can be a bit intense at times…

But hey nothing like that pre dawn double of jolt cola with a quad expresso chaser to keep you on your toes. Just remember that extra cinnamon roll with crushed Brazil nut to give you those carbs and minerals as well as hide that whole nutmeg kale taste of that high-health “natural smart” smoothy you have for breakfast. Oh and those yummy tuna sushi for extra omega 3 brain power…

It might not actually be doing it for you, in fact it may be doing you in[1]…

Some one I once worked with collapsed in the office around 11PM one friday evening after virtually living in the office for a week or two, on a “distress” project that had been dumped on them. They ended up admitted into hospital with all sorts of wires and tubes which ain’t a good look on a twenty something, who was naturally tall and willow and was a serious competative cyclist.

They had been going rather more than their normal charming weird you get from “maths types”, from what we all thought was “project stress” (bug-eyed, twitchy, odd speach, and looking gaunt). However having ridden in on the ambulance with them at “Accident and Emergancy” I was some what startled when the A&E staff started asking all sorts of “substance abuse type questions” and I suddenly thought “Oh no, have they been ‘speeding'” as some of those symptoms are the same… Turns out no it was not illegal substances but they had indeed poisoned themselves. With what was their own “healthy smart brain diet” that they had researched from “selected” peer reviewed papers and similar and concocted. They had been consuming it for some while and whilst no permanent harm was done apparently their biochemistry on admission was off the chart in some respects and the hospital had seen nothing like it before…

[1] Well last century “over healthy eating” was the preserve of the “I’m gona live for ever types” who had seen the flatworm studies. So it was a surprise back then. But as “eating disorders” go it’s getting more common for people to over do the health foods and try to replace fats and protiens with spices and herbs[2],

https://www.healthline.com/nutrition/8-health-foods-harmful-in-large-amounts

[2] If you look at the diets of people around the world you will see that those who have little meat protien in their diet develop a cuisine high in spices and herbs, to help achive some form of satedness. Quite often it is via the use of chillies and similar but can be other spices and herbs (of which many are poisons one way or another).

Chris Drake February 15, 2022 10:43 PM

“they are paid for each bug” – WOAH BACK. No they are NOT!!

In the last 25 years or so, I’ve reported more than 100 bugs, all serious, many extremely-so (RCE, money theft, etc) – and not even one single time have I ever been paid.

There is ALWAYS some reason why my reports do not “qualify” (but most of the time they still fix the bugs I report, even though they never pay for my work…)

… And that’s not even starting on the total-joke that is CVE – I’ve never once found a way to get anything I report into their database: the obstructive barrier of institutions that always refuse to accept reports at all (or reject any report you manage get to them) is staggeringly hard to get past.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.