Harnessing the power of the crowd can lead to significant improvements in cyber security
How many cars does Uber own in order to maintain its current value of over $60 billion? How many rooms does AirBnB own? The answer to both is zero. In this day and age utilising the skills and equipment of a wider community is cutting edge business thinking. This crowd sourced approach, which was spearheaded by KickStarter and then morphed into the sharing economy with Uber and AirBnB, can teach those who are wrestling at the sharp end of cyber security a thing or two.
Software has vulnerabilities in it : Bugs; legacy code, shortfalls are all hidden away in there. Why? Because it is still primarily hand written, crafted by individuals and teams who are forever adding new functionality to capture our imagination. All of this software running on your desktop, laptop, mobile or tablet is not finished – not yet. It’s good enough for release and as and when issues are found the software company will issue updates in the form of software patches. This process relies on those bugs being reported, logged, evaluated, verified and then assigned to usually a relatively small team of engineers who will labor to their best of their ability in order to resolve them.
Companies who integrate many different software platforms, from firewalls and virus control to their choice of email service or cloud provider, equally has collective vulnerabilities. Their corporate software ‘footprint’ will be unique to them. A combination of hardware and software that will not be replicated exactly anywhere else.
Hence their vulnerabilities will be equally unique. Here again a relatively small team of engineers will be diligently working to maintain uptime on all systems, patching where needed, keeping their own IT monster under control.
They could all do with a little more help. They could all benefit from a crowd of individuals willing to spend time and effort investigating and reporting back on shortfalls that can be addressed, preferably before the hackers get wind of it and compromise them severely. Well that time has come. Bounty Hunting for Bugs is real and there are many highly skilled individuals out there who are willing to help you – for money.
The concept behind bug bounty hunting is relatively easy to get a handle on. A company opens up its products, or it’s systems to the crowd who are tasked with finding issues. Should an issue be found and verified then the hunter obtains a bounty.
Even with it’s almost immeasurable resources the internet giant Google is asking the bug hunters to assist them finding faults with their infamous search engine, YouTube and their blogging platform – Blogger. They set up and have been running the Google Vulnerability Reward Program (VRP) since 2010.
Think this is daft? Individuals are starting to make a very good living out of this. Google will pay up to $10,000 (US) for “complicated, high-impact improvements that almost certainly prevent major vulnerabilities in the affected code” How many of those would an out of pocket, but highly qualified computer science graduate need to complete in a month to shun then concept of a normal 9 to 5 job?
If you are not Google and do not have the necessary resources to set up your own bounty program then don’t worry a third party will do it for you. HackerOne is that company, headquartered in San Francisco, they pitch themselves as “the first vulnerability coordination and bug bounty platform”. They were created by security leaders from Facebook, Microsoft and Google, and according to their website “Empower companies to protect consumer data, trust and loyalty by working with the global research community to surface your most relevant security issues”. They are they middle man between you and the bounty hunters. Sign up, set up a project, set your bounties and release it to the community. If you do you will be in safe hands, Adobe, Yahoo, Twitter, General Motors and even The Pentagon are using HackerOne to get resolve their issues.
To date HackerOne has paid out over $7million (US) in bounties and claim that over 20,000 bugs have been fixed via their platform.
We have all witnessed the meteoric rise of Uber, AirBnB and KickStarter as they leveraged the power of the community, the crowd, the individual. This new way of doing business is credible and generates results. Any company with security products, security issues or are concerned about the security of their software products that are coming to market no longer have to hire one or two new engineers, they can tap into the skills of thousands. It’s time to call in the Bounty Hunters.
SCC provides a class leading range of SIEM (security information and event management) services to assist businesses with their cyber security risk management and mitigation strategies.