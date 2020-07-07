This week on The Vergecast interview series, Verge editor-in-chief Nilay Patel talks to founder and CEO of Luta Security Katie Moussouris.

Moussouris includes a long history in computer security, working at Microsoft and the Department of Defense creating their first bug bounty programs to incentivize catching and reporting security bugs and vulnerabilities in computer software systems.

Nilay and Katie discuss the history of bug bounty programs, from the early iterations to the current state of affairs, from good to bad. Though Moussouris says the concept of hiring hackers to make organizations more secure has numerous positives, the commercialization of the practice has generated blindspots along with other unintended incentives.

Below is a lightly edited excerpt from that conversation.

Nilay Patel: Where are the failings of a bug bounty system?

Katie Moussouris: Well, right now, honestly, the failings, I’ve surely got to say, is in the commercial implementation of bug bounties. So my company basically goes into and assesses organizational maturity, like, “Are you ready for this? Can you handle the truth?”

And a great deal of the questions we ask, companies are like, “Yeah, but we want to do this industry best practice thing called a bug bounty. And we know that you make all these big bug bounties. You so just make us a bug bounty.”

And I’m like, “But you haven’t actually been able to keep up with patching the systems that you know are out of date. How can you actually deal with this additional volume?” And they do say, “Oh, but we’ll just hire a bug bounty service provider, and they’ll take care of everything for us.” And I’m like, “Wait a minute. What part about your internal patch processing did you not understand from the rest of the questions?” Because they’re sitting there going, “We’ve been told we can outsource this.”

I see it as failures of both sides of the marketplace. I used to work for a bug bounty company. I believed in this model as, “Hey, why don’t we make it easier to connect companies with hackers and make it safer for everybody? And eventually, the companies and the governments will become more secure, and eventually, the hackers will also not only stay out of jail and make a living, but they’ll scale up.” Because ideally, what you desire to see in the whole world is no low-hanging good fresh fruit anymore. You want to see people actually addressing those bugs themselves — preventing them, ideally. But even if they accidentally coded up some low-hanging fruit bugs, to help you to detect them themselves. Not count on third-party randos on the internet ahead tell you about this low-hanging good fresh fruit.

“We’re not seeing actually a good evolution of the state of security as a result of these programs.”

So where I’ve seen this a failure is that commercial bug bounty platforms, basically their business model is you stay bad at security to ensure that there’s a great deal of low-hanging fruit found and the relatively low-skilled labor that hangs on the bug bounty platforms — with very few exceptions, there are very skilled folks on these bug many platforms. But I believe I read the latest report in one of the leading bug bounty platforms, out of 600,000 registered users, 146 of them have never made more than $100,000 in their entire lifetime on the platform. You know, a professional penetration tester, even 15 years back when I did so this, already, the starting salary was over $100,000.

So we’re not seeing actually an excellent evolution of the state of security as a result of these programs. We’re also not seeing a good evolution of the state of cybersecurity workforce. We view a huge bottom of the pyramid, which is kind of the folks who are in a position to run free or not exactly free scanning tools and kind of give you the low-hanging good fresh fruit reports. And they’re creating the majority of bug bounty hunters. And this tiny little top-of-the-pyramid of highly skilled workers — that is, literally less than 200 people — are at the very, top. And that’s despite these businesses being around for the last eight years.

It’s so funny that you’re describing an economic model for cybersecurity for hacking that looks an awful lot like a user-generated content platform economic model. You could have just described YouTube or Instagram or any of these other platforms that promise lots of people access but only rewards a little fraction of the folks. Is that the accurate analogy?

Absolutely. I mean, the rules of bug bounty are only the first someone to report a unique bug gets paid for it. So think of all the low-hanging fruit. You could be spraying and praying your scanning tools, but to even make money on something that was very easy to get, you just need to be the first one in. So there’s a whole lot of unpaid labor that switches into these platforms.

And then let’s say even when you’re operating at sort of higher technical levels and finding more esoteric bugs, we hear complaints left and right of companies saying, “Oh, we knew about that bug already, so we’re not going to pay you. It’s already in process of getting fixed.” So there’s tons of of stuff where individuals are not getting what they signed up for. I look at it up to now another failed implementation of the gig economy marketplace right now.

We all had a great deal of high hopes that the gig economy would help a great deal of people. And it’s not been turning out great for truly the labor side of things. But in the case of bug bounty, it’s perhaps not turning out great for the buying side, the hiring side, either. They’re incapable of access huge new labor workforce. That tiny number of folks who are fairly very skilled and making good money on these platforms, they maybe don’t want to stop trying their life style. A few of them decided to work in-house at companies, but they’re kind of preserving their bug bounty moonlighting abilities on the side and every thing. So we’re just not seeing the whole gig economy as expressed in bug bounty platforms working out for either side of the equation.

So to help keep this analogy going maybe past its breaking point, when we were critical of a YouTube or Instagram, a thing that is real there is that’s working out perfect for YouTube and Instagram. They have no incentives to fix it because they’re reaping all the rewards. I would imagine at least there’s more actual money flowing through the bug bounty ecosystem and there is the very real threat of “Hey, there’s vulnerabilities in our software.” So it can seem like there’s some incentive to change it, to change that model. What changes perhaps you have seen coming, or does that incentive just not exist?

Well, after leaving one of the bug bounty organizations, I stayed on being an adviser for pretty near to a year and worked with them on various mutual clients. I’ve had customer overlaps with a great deal of the bug bounty companies, or even all of the major US ones. And the thing I keep seeing in their business design is that I would like to simply help organizations get more mature. So fewer low-hanging good fresh fruit bugs, more esoteric bugs. But all of their business models depend on there being chum in the water all the time of low-hanging fruit.

So they don’t want the process delays of [when] my company frequently goes in and says, “Are you ready for this? Have you invested internally on finding the bugs yourself? Did you know it’s up to 45 times cheaper if you actually identify security bugs in the design phase?” And that basically ultimately ends up delaying the adoption of bug bounty, which isn’t appropriate for everybody and definitely not appropriate in the event that you can’t even patch the bugs you know about.

So I believe the inherent conflict that’s come up with the different business models — bug bounty versus the advisory services that my company provides — is bug bounties can help with a tiny fraction of that which you already have to do for vulnerability management, but it’s being positioned as the easy button because of it. We’re seeing a lot of companies arrived at grips with the undeniable fact that they’re having breaches still even if they will have a bug bounty or they can’t bounty every thing.

There’s one airline who has already established a bug bounty for a little over four years. That’s United Airlines. Is it on the planes? No, it’s on the websites. It’s against the website. So how are we safer in the skies? Well, we’re perhaps not. But the appearance of looking like you’re doing diligence with regards to vulnerability management, I think that’s where commercial bug bounty enablement platforms have been pushing, like, “Look, you know, just look really busy.” Yeah, you’re playing whack-a-bug and every thing and this is super inefficient, but you can say that you just take security very seriously and you’re fixing all these low-hanging fruit bugs and whatnot. We won’t call them that. We’ll just say that, you realize, there are each one of these bugs and that it’s super valuable. And when you get breached. Maybe you won’t be in trouble since you can say, “Well, we tried. We had a bug bounty and just nobody reported that particular issue to us.”

So I don’t know. I am talking about, I would want to say this is all evolving in the right direction, but in all honesty, I’ve seen it devolving, especially in the last couple of years of the commercialization of bug bounties.