Singapore is leading the bug bounty movement in the region to pit good against bad, but are bug bounty programs sustainable?
Just before the SARS-CoV-2 coronavirus nightmare hit, nearly 300 white hat hackers from around the world had participated in the Singapore government’s third bug bounty program from November 18 to December 8, 2019.
A total of 13 public government Information and Communication Technology (ICT) systems, digital services and mobile applications with high end-user touchpoints were put to the test. Hackers discovered a total of 33 valid security vulnerabilities and earned US$30,800 in bounties, financial incentives, making this the most successful round in the bug bounty program to date for the Government Technology Agency.
Singapore’s Government Bug Bounty Programme (GBBP) is an ongoing initiative to build a secure and resilient smart nation, to improve the lives of residents and increase business opportunities through the adoption of digital and smart technologies. The program is run on the HackerOne hacker-powered security platform and supported by the Cyber Security Agency of Singapore (CSA).
Why bug bounty programs?
Hacker-powered security continues to be a core tenet in GovTech’s approach to cybersecurity, with three bug bounty programs successfully completed to date. Also, a vulnerability disclosure program (VDP) was recently launched to incentivize any ethical hacker in the world to disclose a vulnerability at any time to GovTech.
As bug bounty programs go, the GovTech program stands out in that it involves selecting the largest global ethical hacking community, using generous incentives to grow the global white hat community to benefit the region as a whole, and also grooming a local pool of benign hacking talent.
HackerOne continues to be selected to manage GovTech’s bug bounty programmes because of its proven track record of success with government agencies globally, including its work with the US Department of Defense and the European Commission. Its community of more than 600,000 members from 170 countries around the world attests to its scale and reach in helping a small nation, whose digital aspirations and economic force attract an equally powerful community of malicious hackers.
Having an audacious bug bounty program also serves to grow local and regional hacker talent pools to level the playing field. In a past program run by the country’s Ministry of Defence, half of the invited participants were local white-hat hackers, while additional programs by the government continue to attract global players to join in the hunt for exploitable vulnerabilities.
According to a HackerOne spokesperson, “hacker-powered security is the foundation of any mature and proactive security program. By providing an opportunity to engage local as well as global hacker talent, GovTech is not only delivering on its Smart Nations goals, but also enhancing the way it services its (people) in terms of safety, security, and opportunity.”
Similar trends worldwide
This latest bug bounty challenge occurs against the backdrop of an evolution in cybersecurity, where everyone from government agencies to Fortune 500 companies are embracing the positive power of ethical hackers.
Policymakers across the globe are recommending hacker-powered security, with some even introducing legislation to encourage and even require adoption. In the Asia Pacific region, the adoption of hacker-powered security is growing with the number of hacker-powered security programs increasing by 30% in 2019, according to platform data in HackerOne’s security report.
Notably, Singapore organizations were involved in awarding the highest volume of financial incentives in the region last year.
Around the world, the ‘nice’ hackers have earned approximately US$40 million in bounties last year alone, and $82 million cumulatively. Over three-quarters of the talents have been able to make or grow their careers out of this pursuit.
Do bounties skew the intentions?
One known disadvantage of bug bounty program is that is it susceptible to ‘group-think’ where obvious vulnerabilities can ironically be missed because everyone assumes someone else has already spotted them. This is unlike the standard penetration test dedicated engineers are assigned with specific methodologies to scope out vulnerabilities from end to end.
Pentests can include open-source reconnaissance, port scans, thorough hacker-level evaluations of every service, manual attempts to attack a corporation’s own system, and performing application-level testing on unauthenticated portions of web services. Arguably, knowledge of bug bounty advantages has also improved how pentests are evolving.
Next, when a company sets up a bug bounty program, people from all sorts of backgrounds are free to probe the system. In worst-case scenarios, hackers of questionable intentions may try to probe beyond predetermined testing perimeters and potentially compromise a secondary system. Therefore, attracting both kinds of hackers (intentionally or not) can plant ideas more dangerous (in the long term) than such talent may otherwise be capable of.
And then the question of paying talents conditionally is a question mark yet to be tested in time. With hundreds of centralized and globally-located testers, the condition is that they only get paid if they find a vulnerability, according to predefined rates for levels of severity. Does that not mean hackers would gravitate towards hunting only the high-paying vulnerabilities?
Even if bounty rates do not affect hacker motivations, there are the standard arguments that a white hat may turn grey or black in future (for a whole host of social, psychological or ideological reasons) precisely because of the mercenary instincts promulgated by such competition, or that what appear to be white is actually a cover for a state-sponsored entity. And there’s no stopping bounty hunters from violating their agreements.
Finally, there have been recent cases where bug bounty programs have been used to buy silence.
The future of bug bounty programs
Notwithstanding how the bug bounty concept benefits careers and corporations, automation and machine learning appear to be the way forward in managing some of the uncertainties of human motivations.
Combining automation and white hat insights allows ethical hackers to maximize the impact of their research. For example, incentives can in future be built into every system to crowdsource white hat VDP participation, incentivize them sustainably, and incorporate the results into every system in the ecosystem. This way, researchers that submit their findings can secure thousands of websites by only sending in one vulnerability report.
Going forward, automation may make white hat testing a commonplace feature that feeds machine learning systems to dynamically consolidate actionable information for sharing. Until then, bug bounties are still a work-in-progress that are proving helpful to shorten security learning curves while broadening the scope of systemic introspection.
Let us just make sure that the such programs will not give corporations an overinflated sense of security complacency that leads to oversights and human errors elsewhere down the line.