When Jonathan Leitschuh found a catastrophic security vulnerability in Zoom, the popular video-conferencing platform, the company offered him money to keep quiet in the form of a bug bounty and a non-disclosure agreement (NDA) through Bugcrowd.
The security flaw affected millions of Zoom users on Mac, and Leitschuh wanted to see the issue fixed. He declined the bounty payment because of the NDA, gave Zoom an industry-standard 90-day embargo to ship a patch, and when the company failed to do so, he published his research.
Cue fireworks. Zoom got a lot of negative media attention and fixed the security flaw. Leitschuh's struggle to hold organisations accountable for their poor security posture is more common than you may think, and some security researchers feel the bug bounty platforms — HackerOne, Bugcrowd and SynAck — have become marketplaces where their silence is being bought and sold to prevent public exposure of insecure practices.
Used properly, bug bounty platforms connect security researchers with organisations wanting extra scrutiny. In exchange for reporting a security flaw, the researcher receives payment (a bounty) as a thank you for doing the right thing.
However, CSO's investigation shows that the bug bounty platforms have turned bug reporting and disclosure on its head, what multiple expert sources, including HackerOne's former chief policy officer, Katie Moussouris, call a "perversion."
Key takeaways from CSO’s bug bounty investigation
- Bug bounty platforms use NDAs to trade bounty hunter silence for the possibility of a payout
- All organisations need a vulnerability disclosure program (VDP); few need a bug bounty program
- Bug bounty platforms may violate California and federal labour law, and the EU’s General Data Protection Regulation (GDPR)
- You can't outsource a VDP entirely, only very tiny pieces, per ISO standards
- Bug bounty platforms and their use of NDAs contribute to a public safety issue due to unpatched security flaws
Bug bounty vs. VDP
A vulnerability disclosure program (VDP) is a welcome mat for concerned citizens to report security vulnerabilities. Every organisation should have a VDP.
In fact, the US Federal Trade Commission (FTC) considers a VDP a best practice, and has fined companies for poor security practices, including failing to deploy a VDP as part of their security due diligence. The US Department of Homeland Security (DHS) issued a draft order in 2019 mandating all federal civilian agencies deploy a VDP.
Regulators often view deploying a VDP as minimal due diligence, but running a VDP is a pain. A VDP looks like this: Good-faith security researchers tell you your stuff is broken, give you 90 days max to fix it, and when the time is up they call their favourite journalist and publish the complete details on Twitter, plus a talk at Black Hat or DEF CON if it's a really juicy bug.
"Getting ready for a VDP is technically straightforward but politically is a harder challenge," HackerOne's co-founder and CTO Alex Rice tells CSO in defence of the practice of providing private bug bounty programs to companies that lack a VDP, citing legal, regulatory, policy and risk management concerns inside customer organisations.
"Today we have people launching private bounty programs before VDPs, and that's a model that's worked well to start building that researcher relationship with a small number of hackers in a private engagement," he adds. "We could debate all day whether that’s right or not. Our conclusion is that it's right for some organisations."
The delicate balance of running a VDP and working with good-faith researchers is a win-win-win for society, for the impacted organisation, and for the security researcher, but some enterprises more worried about their stock price might prefer to pay money to make that pain point go away.
Bug bounty platforms offer organisations a tempting alternative. Researchers report security flaws under NDA and are paid to keep quiet. Maybe we'll fix the issues you reported. When we get around to it.
But there are no regulatory — or even normative — requirements to deploy a bug bounty, and for many companies unprepared to process a deluge of bug reports, a bug bounty is the wrong decision.
VC-powered marketing hype
Venture capitalist-fuelled dreams of building a billion-dollar unicorn cyber security gig economy are largely to blame for where we are now, Moussouris tells CSO.
“I want to get to 1,000,000 hackers [on our platform] … that’s really where I want us to be in the future,” HackerOne CEO Mårten Mickos told CyberScoop in July 2017. The company's February 2020 report "details the efforts and motivations of more than 600,000 individuals who represent our hacker community."
Except that 600,000 number is at least somewhat inflated. This reporter has two of those accounts, including one created, and forgotten, in 2017. Anyone can sign up for as many HackerOne or BugCrowd accounts as they like.
SynAck requires applicants to apply with a resumé before giving them access to bug bounty programs. The real question: How many competent security researchers are finding and reporting bugs?
According to HackerOne's Rice, 9,650 HackerOne users submitted valid bug bounty vulnerability reports in 2019, with 3,150 of them sufficiently motivated and engaged to respond to the company's questionnaire.
That number of active users is far short of Mickos's lofty one million hacker goal. And as for the quality of those valid vulnerability reports…. "I've seen some quote unquote valid vulnerability reports," Laurens ("lvh") Van Houtven, principal at Latacora, a secops and cryptography expert, tells CSO. "If someone asked me 'should I put this in my appsec report?', I'd say 'you can put it in there, but I will never let you live it down.'"
Moussouris, now founder and CEO of bug bounty consultancy Luta Security, questions how much of HackerOne is real. "Their latest report shows most registered users are basically either fake or unskilled," she says.
"The number of people making more than $100,000 over their entire time working on the platform is in the low hundreds. That number of relatively skilled researchers hasn't changed significantly at all, making their claim to have the largest number of hackers pretty misleading."
"These commercial bug bounty platforms ... are perverting the entire ecosystem, and I want to see this stop, even if it costs me personally," Moussouris adds. As a former HackerOne exec, she would profit handsomely from any successful HackerOne public stock offering. "I am speaking to you in the opposite direction of my own personal financial gain."
HackerOne also makes a lot of noise about its "hacker millionaires," who have made more than a cumulative million dollars each since the platform launched in 2012. What was the median income of a HackerOne bug finder in 2019? What about the average? How many vulnerability reports does the median/mean hacker submit? HackerOne declined to answer these questions.
Likewise, BugCrowd tells CSO that it has "20,000-plus active researchers on the platform with an estimate of 2 to 3 million potential whitehat hackers available around the world."
How does BugCrowd define an "active researcher"? Is that a calendar year 2019 figure, or a cumulative number since BugCrowd first launched in 2011? Where does the 2 to 3 million whitehat hackers number come from? "At this time, we do not publicly disclose those details," a BugCrowd public-relations rep tells CSO.
Covering up security issues
Silence is the commodity the market appears to be demanding, and the bug bounty platforms have pivoted to sell what willing buyers want to pay for.
"Bug bounties are best when transparent and open. The more you try to close them down and place NDAs on them, the less effective they are, the more they become about marketing rather than security," Robert Graham of Errata Security tells CSO.
Leitschuh, the Zoom bug finder, agrees. "This is part of the problem with the bug bounty platforms as they are right now. They aren't holding companies to a 90-day disclosure deadline," he says. "A lot of these programs are structured on this idea of non-disclosure. What I end up feeling like is that they are trying to buy researcher silence."
The bug bounty platforms' NDAs prohibit even mentioning the existence of a private bug bounty. Tweeting something like "Company X has a private bounty program over at BugCrowd" would be enough to get a hacker kicked off their platform.
The carrot for researcher silence is the money — bounties can range from a few hundred to tens of thousands of dollars — but the stick to enforce silence is "safe harbour," an organisation’s public promise not to sue or criminally prosecute a security researcher attempting to report a bug in good faith.
The US Department of Justice (DOJ) published guidelines in 2017 on how to make a promise of safe harbour. Severe penalties for illegal hacking should not apply to a concerned citizen trying to do the right thing, they reasoned.
Want safe harbour? Sign this NDA
Sign this NDA to report a security issue or we reserve the right to prosecute you under the Computer Fraud and Abuse Act (CFAA) and put you in jail for a decade or more. That's the message some organisations are sending with their private bug bounty programs.
Take PayPal. The VDP on its website tells all bug finders to create an account on HackerOne and agree to the terms and conditions of their private bug bounty program, including the NDA. If you report a bug any other way, PayPal explicitly refuses to offer safe harbour to bug hunters.
"You won't find VDPs on HackerOne that don't permit any type of disclosure," Rice tells CSO, which at least in the case of PayPal appears not to be true. PayPal's VDP shoehorns every bug reporter into its private bounty program on HackerOne, and the only way to report a bug in good faith with zero expectation of a bounty is to agree to that private program's NDA.
HackerOne's website may label the program a "private bug bounty" instead of a "VDP," but it remains the sole published way to report a security flaw to PayPal at the time of this writing.
The PayPal terms, published and facilitated by HackerOne, turn the idea of a VDP with safe harbour on its head. The company "commits that, if we conclude, in our sole discretion, [emphasis ours] that a disclosure respects and meets all the guidelines of these Program Terms and the PayPal Agreements, PayPal will not bring a private action against you or refer a matter for public inquiry."
The only way to meet their "sole discretion" decision of safe harbour is if you agree to their NDA. "By providing a Submission or agreeing to the Program Terms, you agree that you may not publicly disclose your findings or the contents of your Submission to any third parties in any way without PayPal’s prior written approval."
HackerOne underscores that safe harbour can be contingent on agreeing to program terms, including signing an NDA, in their disclosure guidelines. Bug finders who don't wish to sign an NDA to report a security flaw may contact the affected organisation directly, but without safe harbour protections.
"Submit directly to the Security Team outside of the Program," they write. "In this situation, Finders are advised to exercise good judgement as any safe harbour afforded by the Program Policy may not be available."
Rice says HackerOne discourages such conduct from customers and will kick companies off the platform if they take "unreasonable punitive action against finders," such as making legal threats or referring a finder to law enforcement.
Read more on the next page...