On a recent edition of the award-winning podcast Risky Business, Bugcrowd CEO and founder Casey Ellis defended bug hunters with the line “bug hunters don’t make the bugs, they find the bugs.”
In particular, he was referring to the story that the Pentagon would allow vulnerability researchers to test the department’s cybersecurity profile. I had the chance to meet with Ellis last week at the end of the annual RSA Conference in San Francisco, where Ellis had relocated to from his native Australia.
He explained that after the company launched in late 2012, he moved to San Francisco six months later. The company ethos is on facilitating communications between two groups “who need each other but do not always get along” according to Ellis. “Our core offering is to resolve the HR issue,” he said. “We started with a series of meetings with customers who dealt with Facebook and Google about bugs, and we distributed the necessary model. We said consider the cost of paying a bug hunter versus paying someone by the hour.”
Ellis said that businesses realize that they lack people and process to iron out vulnerabilities, so paying others is a better way. “All companies say the same thing, if you remove the ‘bugs’ then this is something bigger than a penetration test”.
Bugcrowd now have 50 staff and 25,000 researchers registered with it, all of whom go through a background check to prove their legitimacy. Ellis said it is about “making the conversation happen” and regarding the Pentagon, he said that what struck him was how the market is adopting the concept of vulnerability disclosure and bug bounties.
In a recent article, Ng Wei Khang, author and founder of Apixel IT Support in Singapore, highlighted the issue of “double-dipping”, wherein a hacker might collect a prize for reporting a bug, and then sell the same information to malicious buyers. I asked Ellis what he thought of this, and he acknowledged that it is a risk and always a possibility, but the concept of the payment going to the first person to report the bug puts the onus on the company to fix it and remove the exploitability time that “double-dipping” would remove.
“To quote Dan Kaminsky, not everyone wants to be a drug dealer,” he said. “It is not just about money, but a lot of it is about reputation and you improve that through credits.”
Bugcrowd conducted a Twitter poll this week on “what is the top reason for researchers to publicly disclose?” and 31% of the 256 respondents said it was for “professional advancement”. To return to the ethos of Bugcrowd, Ellis said that some organizations refuse to acknowledge that they have vulnerabilities not because of incompetence, but this is something that is growing. “Code is a product of humans and how to manage mistakes and find them before they are attacked, this is the fundamental problem that we are getting to,” he said.
“Vulnerabilities are talked about like they are the bogeyman, but companies need security and if they don’t believe in that, but they will believe in bug bounties.”
Looking to the future, the prices being paid for vulnerabilities continues to increase, with Microsoft’s payment of $100,000 in 2013 now being followed by Facebook paying $15,000 for a brute force bug. Ellis said that the challenge is to “break out of the sandbox”, as other verticals look at Facebook and Google paying bounties but think it is irrelevant to them, and that is why the Pentagon story was so important. “It pushes the idea further into the broader market,” he said.
“There is a bulk of opportunity for both sides, when we started the industry thought that bug bounties were a problem, but now they have the ability to do a job. What would be ideal is if we use this lead and use it to change the way people think about software complexity against a crowd of adversaries.”