At Bugcrowd, we strongly believe that:

• Appropriately rewarding hackers (see our rewards recommendations below) is an absolute requirement for all-around success in bug bounty, and
  
• The economic benefits of fair, market-rate payouts far outweigh their cost.

Let me explain why.

Case Study: MOVEit Transfer Vuln

The infamous MOVEit Transfer Critical Vulnerability (CVE-2023-35708) is a good example of how a relatively modest bug bounty reward would have paid for itself many, many times over. 

As the Russian-speaking cyber syndicate Clop orchestrated a wave of extortion against numerous companies last season, the narrative was dominated by the scope of the incursion: numerous compromised organizations, personal data of millions siphoned, and copious volumes of sensitive information leaking into the dark web.

Central to this attack was the deployment of a zero-day exploit. Whether this vulnerability was a product of Clop’s own cyber reconnaissance – or, what seems more probable, procured from a dark web forum – it provided a digital crowbar to pry open defenses. Sifting through dark net forum posts reveals indicators that threat actors were actively paying large amounts of money for high-impact vulnerabilities:

Now let’s take a look into the known impact of the MOVEit Transfer vuln on organizations and individuals, to date:

Impacted organizations: 2,561
Impacted individuals: 67,174,909

In cybersecurity economics, quantifying the financial fallout of security incidents is napkin math. But it is very feasible to sketch an illustrative financial portrait by drawing from statistics reported in IBM’s Cost of a Data Breach Report 2023. If we apply the average toll of a data breach for each compromised record (US$165) to the tally of confirmed individuals affected by the incident, the estimated financial impact is a staggering US$11.08 billion. That figure speaks for itself!

Thinking ahead

When we speak with CISOs, it is common to hear the concern that implementing a robust bug bounty program will require a financial investment that can strain limited budgets. However, short-term thinking often leads to long-term problems.

For the sake of argument, let’s assume that a program commits to paying on the higher end of our suggested reward ranges with a payout of US$20,000, not US$5,000, for each critical vulnerability (and this assumes only one is found). The long-term impact would include:

• Long-term cost savings: Investing in a comprehensive bug bounty program can lead to substantial long-term cost savings because the cost of addressing a security breach far exceeds the cost of a $20,000 bounty payout: Per the Cost of a Data Breach Report 2023, the average total cost of a data breach is well over $4 million.
• Protection of brand reputation: The impact of a cyber attack on a company’s reputation can be devastating and long-lasting. Customers lose trust in brands that fail to protect their data, leading to churn and lost revenue. Customer trust is an invaluable asset that, once lost, is costly to regain–far more costly than $20,000.
• Competitive advantage: A strong security posture can be a competitive differentiator. Companies that demonstrate a commitment to security attract more customers and partnerships. A well-funded bug bounty program signals to the market that a company is serious about security, potentially giving it an edge over competitors. You could never buy that reputation with a paltry $20,000 marketing campaign.
• Avoidance of potential fines, legal fees, and insurance premiums: As we described in a previous post, a significant breach can lead to millions in downstream costs–making that $20,000 look like a really good investment.
• Access to expertise on-demand: Bug bounty programs on the Bugcrowd Platform crowdsource the expertise of the global security community, offering access to a diverse range of skills and perspectives that internal teams may lack. This access to a broader knowledge pool can augment, extend, and enhance a company’s security team far more effectively than relying solely on internal resources. Without it, do you have the ability or the funds to employ experts for every skill and asset 365 days a year?

Hackers agree: Per Bugcrowd’s 2023 Inside the Mind of a Hacker report, 84% of them believe that most organizations do not understand the true risks of a breach.

New recommended reward ranges

For the reasons above, there is no downside to scaling your program toward even the upper range of market-rate payouts over time. (Also keep in mind that your program is competing with others for hacker attention, and money talks.) In support of that point and to reflect the current marketplace, we recently updated our recommended reward ranges for bounty programs – informed by benchmarking the most successful programs on our platform after mapping hundreds of thousands of data points about vulnerability types, severity levels, and payouts:

Respecting these recommendations is not only a proven method for enhancing impact, but it’s also the right thing to do for hackers who invest a lot of time in uncovering weaknesses that you want to hear about before potential threat actors do.

As market rates adjust over time, we continue to gather data about what makes successful programs work, and new categories (such as AI) emerge, we’ll make adjustments to these recommendations, as well. 

The post Why Bug Bounty Payouts Are Worth Far More Than Their Cost appeared first on Bugcrowd.

When evaluating the value of crowdsourced security, many people focus on the number of researchers who will be focused on your targets. While this is a logical approach, it’s just as important to consider the diversity of perspectives that a “crowd” can provide. For example, in a traditional penetration test, the findings usually reflect the perspective of a single “type” of tester (more on that below) –and that produces results aligned with that, albeit ones that conform to a methodology. In contrast, a genuinely crowdsourced pen test (not a “crowd-washed” one) inherits value from the full range of thoughts, approaches, and styles that only a crowd can provide–and that enables more comprehensive, intense testing to find more diverse types of bugs. Furthermore, it’s a strong signal that “pay for effort” (typical of an industry-standard pen test) and “pay for impact” (typical of a bug bounty) testing models are highly complementary.

At Bugcrowd, we think of hackers/pentesters as belonging to one of five distinct roles: Beginners, Recon Hackers, Deep Divers, Generalists, and Specialists. (It’s also important to keep in mind that over time, hackers/pentesters can and will journey from one role to another.) Each type has an important role to play in a given program, and those roles are relevant to how the Bugcrowd Platform’s CrowdMatch^TM technology matches the right crowd to a customer’s needs, at the right time, across 100s of dimensions.

Next, let’s take a look at each type of role in more detail.

The Beginner

Beginners on the Bugcrowd Platform refer to those who are new to the concept of crowdsourced security in general, rather than just being new to the platform specifically. When assessing a hacker’s level of experience on the platform, we may consider factors such as their participation on other platforms or their published research and tools. However, if such information is not available, we may assume that the hacker is a beginner in the ecosystem, at least initially (although this may not always be the case).

It’s important to note that being a Beginner does not necessarily mean that an individual is unskilled, even if they’re only submitting P3/P4 issues. For example, they may be working through a course to broaden their skill set, or they may have limited public presence but already work as a pentester and want to further develop their skills. Typically, this type of hacker covers vulnerability classes that others may not focus on as much, including P4 issues related to authentication and authorization, as well as simpler infrastructure issues (such as DMARC). 

Beginners add value in terms of coverage and consistency. Their participation in a program ensures, for example, vulnerabilities that would typically be found in a penetration test are also identified in a bug bounty program. The last thing we want is for a customer to follow a pentest with an overlapping bug bounty, and only then learn about a bunch of lower-priority items!

The Recon Hacker

Recon Hackers focus on identifying issues across the largest scope possible, so these individuals often discover P2/P3 issues that would not typically be found in a penetration test. 
Over the past few years, Recon Hackers have dominated every provider’s leaderboard due to the proliferation of subdomain takeovers, particularly in ROUTE53 and EC2 takeovers. While these takeovers are now largely patched, the leaderboards are now askew, and thus the highest-rated hackers may not always bring the maximum level of impact.

It’s important to note that many recon-based hackers are highly skilled. However, many of those who take a recon-first approach have found a lucrative niche, and thus tend to focus on refining their toolkit to further exploit only that niche.

The Deep Diver

Deep Divers are the most valuable hackers for Bugcrowd to identify, engage, retain, and uplift. These are hackers who tend to focus on a particular program, learn as much as they can about it, and provide unique and distinct value. A Deep Diver can uncover vulns that nobody else can due to their persistence and long-term knowledge of how a program operates.

Identifying these hackers is best done by analyzing the content of their submissions–rather than just looking at the spread of vulnerabilities on a program–due to the unique nature of these findings. 

The Generalist

Generalists take a multifaceted approach: They have a solid foundation in reconnaissance and utilize it to cover attack surfaces thoroughly, without relying solely on large-scale monitoring and tooling. Generalists also apply a deep-diving approach to evaluating assets, similar to the Deep Divers. While they may not spend as much time on a particular program as deep divers do, they invest considerable amounts of time across a variety of programs. Due to their dual proficiency in recon and deep diving, Generalists gain a reputation on the Bugcrowd Platform quickly and are highly valued. 

The Specialist

Specialists are a rare breed who require specific sourcing for an engagement. They possess unique and rare skill sets, and typically have years of experience in a particular technology (e.g., APIs, AI, IoT, web3) or a specific Bugcrowd VRT category.

As you read in the introduction, one of the Bugcrowd Platform’s greatest strengths is its ability to source and activate specialists to meet a program’s specific skill-set needs. Due to their specialized knowledge, Specialists can uncover issues that other hackers may miss, and they often provide invaluable, unique solutions to a problem. 

An Engineered Approach

To maximize the contributions of each hacker role, Bugcrowd is strategic in its approach to sourcing and engaging with them. For example, adding Beginners to a program that has been running for three months may lead to frustration and a high number of duplicates, while adding Generalists too early dilutes the ability for Beginners to up-level themselves through their findings. Therefore, program maturity is an important input for our platform’s CrowdMatch^TM technology when it sources the appropriate roles.

To summarize, different hacker roles contribute to crowdsourced security programs in different ways, and it’s important to deeply understand the program’s needs to make the most of those contributions. To respect that process, unlike other providers that rely on leaderboards or coarse-grained methods, Bugcrowd’s engineered approach intelligently sources and activates the right role types and skills for your programs, at the right time.

The post How Different Hacker Roles Contribute to Crowdsourced Security appeared first on Bugcrowd.

• Requires government agencies to implement cybersecurity training; to set up and follow formal security policies, standards and practices; to have incident response plans in place; to provide mandatory training for employees; and to report security incidents, including ransomware attacks
• Provides funding for cybersecurity programs and practices in state agencies, local governments and schools
• Mandates security practices related to elections
• Establishes or supports programs or incentives for cybersecurity workforce training and education programs

The U.S. Congress was equally active at the Federal level, with several major bills passed and signed into law:

• Cyber Incident Reporting for Critical Infrastructure Act of 2022 requires “critical infrastructure entities” and federal agencies to report significant cyber incidents and ransomware payments to the Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA) before 72 hours has passed since the incident (and within 24 hours of a ransomware payment being made)
• Better Cybercrimes Metric Act calls for the Department of Justice (DOJ) and National Academy of Sciences to jointly develop a cybercrime taxonomy for improving tracking and analysis.
• National Cybersecurity Preparedness Consortium Act of 2021 allows the DHS to collaborate with nonprofit entities for designing and implementing cybersecurity training in support of homeland security.
• State and Local Government Cybersecurity Act of 2021 establishes a collaborative relationship between the Department of Homeland Security (DHS) and state, local, tribal, and territorial governments–as well as with corporations, associations, and the general public–for driving cybersecurity education, proactive and defensive security, incident response, and more.

Federal legislation on deck for enactment in the near future includes the Intergovernmental Cybersecurity Information Sharing Act, DHS Roles and Responsibilities in Cyber Space Act, and Cybersecurity Grants for Schools Act of 2022.

The list above, of course, doesn’t include numerous, similar legislative initiatives already in flight around the world!

This Trend is Not Your Friend

The quick takeaway is that this legislative trend is shining a bright spotlight on crowdsourced cybersecurity. Why? Because this trend’s emphasis on proactivity and measurement will influence how cybersecurity strategy is designed and implemented across organizations of every size, type, and industry. And that strategy will create burdens for which few security teams are resourced.

A key part of many of these legislative requirements is to first understand and quantify risk across the attack surface, which for most orgs is now exposed in complex ways that can be hard to grasp. And there is simply not enough hireable talent in the world to meet that goal, much less to remediate the associated risks–especially when challenging assets involving APIs, IoT devices, cloud infra, and Web3 are involved.

Fortunately, crowdsourced cybersecurity is here to help solve that problem (among others)!

Crowdsourcing Do’s and Don’ts

Crowdsourced cybersecurity brings a lot of value to this challenge in theory, but in practice, you have to be thoughtful about your approach:

• Don’t treat crowdsourcing like a consulting project, or use narrow, purpose-built tools (e.g., just for bug bounty).
• Do use a SaaS platform that brings crowdsourcing to multiple security workflows, and layers them for maximum risk reduction.
• Don’t rely on solutions that count on the same leaderboard over and over to deliver results.
• Do rely on one that activates the right crowd for your needs, at the right time.
• Don’t rely on solutions that treat every vulnerability as if they’ve seen it for the first time.
• Do rely on one that has access to rich, historical data to add context for prioritization and remediation.

Learn More

Don’t let government mandates catch you flat-footed. The Bugcrowd Security Knowledge PlatformTM delivers all the “do’s” above, and more. Read our platform ebook to learn more!

The post New Wave of Legislation Puts Crowdsourced Cybersecurity in the Spotlight appeared first on Bugcrowd.