Let's pretend you have offensive security skills and you want to use them for gainful employment. You attend a job interview and you listen to the benefits of what this company has to offer.
First of all, most of the time you’ll be working for free – unless you find a vulnerability, and then they might pay you a few weeks later. You’ll also receive no paid sick days, paid holidays or days off of any kind because well, you’re working for free remember? The tools you’ll need for this job, that includes laptops, mobile devices and any other widgets, you’ll have to provide yourself. As for a pension? Of course not. Nor any other kind of benefits you might expect.
You would be forgiven for thinking this company is fictional, but what I’m describing is the reality of thousands of individuals who actively work on bug bounty programs for various crowdsourced security companies.
While there are parallels in the way crowdsourced researchers work to others in the gig economy, there is one crucial difference – gig economy workers are actually paid for their labour and can predict their income if they choose to invest two hours or two days a week.
The crowdsourced security business model means there are fewer full time employees, so you don’t have to burden yourself with the high cost structure of recruiting and maintaining a workforce. When it comes to cybersecurity, that workforce is highly skilled, hard to find and expensive to maintain so it actually gives them numerous advantages over pen testing companies who they now directly compete against.
Who would actually sign up to this? Well, thousands in fact. First of all, there aren’t that many people working in this fashion. Forget the marketing statistics you hear – crowdsourced companies may claim anywhere from 150,000 to 300,000 people on their platform, but all they are doing is counting the number of sign-ups (zombie accounts that aren’t active).
When you drill down into the statistics, only a tiny percentage of those people have ever logged a vulnerability. I signed up to HackerOne and Bugcrowd, and spent most of my time on the latter platform. I came back to HackerOne in 2018 and saw that I was ranked 5800 out of 120,000, without ever logging a single vulnerability. I was in the top 5% of researchers on HackerOne without ever having done a single thing!
When I logged my first vulnerability my ranking jumped to 3000 odd, my second vulnerability jumped me another couple of hundred places. This all implies that very few people actively participate.
So what is been done about this? Well, crowdsourced companies are acutely aware of this criticism and are slowly trying to address this issue.
Arguably the industry has a lot of work to do. I’ve lost count of the number of times I’ve had a company not pay out (either by ignorance or on purpose), ignore a vulnerability or just generally misclassify the severity of something that’s found to pay less.
The one exception to this is Synack, who have solved this issue by having a slightly different business model – they pay out from their own funds all the time, and negotiate with companies separately. This is also the reason they have the fastest payouts in the crowdsourced industry, and often you can be looking at money in the bank 48 hours after submitting a vulnerability – a long stretch from the weeks and months it takes for other platforms to pay.
Synack launched ‘missions’ a year ago which are short, focused tests for a single vulnerability, whereby if you find the vulnerability or not, you’ll get paid. Bugcrowd also have launched their ‘next gen’ pen test which follows a similar vein – if you flow through a testing methodology but don’t find anything, you’ll get a lump sum – and if you find vulnerabilities then you get paid for those too.
It’s hard to see this continuing into the future: bug bounties and disclosure platforms aren't new anymore, and it’s telling that the researchers you find on one platform are identical to the other platforms because simply put, those with a desire to do so now participate in bug bounties and the recruitment drive is over - there isn’t a never ending stream of researchers to pull from.
This is problematic as their entire business model depends on two things – a continuous stream of people looking for vulnerabilities and having those people do it mostly for free.
As the bottomless pit of researchers hasn’t materialized, platforms have had to switch tactics. ‘Cycling’ researchers is common – for example if you have 30 researchers assigned to a private bounty program, and say 20 of those haven’t logged a single vulnerability in a few months, it’s fair to say they aren’t looking anyway – so you cycle then out and invite 20 new people in to replace them. This is to generate that constant flow of researchers and a different set of eyeballs might spot something the others haven’t (this is one of the primary advantages of crowdsourced security over pen testing, so makes complete sense).
The other technique is gamification: payments are increased for certain companies and this is communicated out to everyone to re-kindle interest – the introduction of badges, achievements, T-shirts and all sorts of goodies as rewards are also common if certain criteria are met (meeting certain targets or types of vulnerabilities for example). Some of the notifications appear almost like sales offers.
This is essentially a race to the bottom, since techniques like this will work in the short term, but will come up against the same long term boundaries. There isn’t an infinite supply of highly skilled specialist labor that works for free.
This is a slow start to what will be a long road to avoid the negative press that usually surrounds the gig economy and until then, it’s redefined the gig economy, and not in a good way.