Exploring the dynamics of the attacker economy

Global software companies are increasingly turning to attackers for help identifying security vulnerabilities in their offerings – and they’re not the only ones.

Conservative government agencies are even beginning to welcome bug bounty hunters. Just recently, the U.S. Department of Defense (DoD) announced its search for a commercial bug bounty company that conducts crowdsourced vulnerability discovery and disclosure.

Despite the growing number of organizations and government agencies that are embracing bug bounty hunters, questions still remain about the practice and the ethics behind it.

The bug bounty business

Organizations utilizing bug bounty programs allow outside security researchers and white hat hackers into their networks to explore their applications in a relatively controlled and managed environment. Their goal is to find bugs that security teams may have missed.

These programs are in high demand, and some organizations – like Microsoft – are launching their own programs. Microsoft, for example, is willing to pay up to $250,000 for the discovery and identification of security vulnerabilities to researchers who follow their guidelines.

Guidelines generally include an agreement that the researcher will not publish or share any detail about the bug with other parties without express permission, and that they have not exploited or abused the vulnerability. How much a researcher is paid usually depends on the complexity of the vulnerability.

The ethical dilemma

While a $250,000 reward may seem like a generous sum, the reality is that security researchers are able to cash in for a significantly larger prize if they’re willing to go a slightly less moral route. There are two opposing forces on either side of the bug bounty market, with a more nuanced middle ground between the two.

On one side, there are government agencies and software companies that are willing to reward those who find vulnerabilities within their products and services. This side is motivated to make their products more secure and keep their customers and users safer. Researchers who work directly with government and software companies are appropriately referred to as “white hat hackers,” since – from a moral standpoint – they’re doing good.

Unfortunately, hackers are also pulled by an oppositional force away from the more ethical route, knowing they’ll make significantly more money by taking their found vulnerabilities to the black market. Much like the global arms market, which is characterized by skyrocketing prices and illegal activity, a zero-day market allows researchers to trade vulnerabilities for huge sums of money.

Black hat hackers will trade in their morals and share vulnerabilities that are almost surely to be used for nefarious purposes. Just recently, a former employee of NSO Group, for example, attempted to sell spyware products on the Dark Web for $50 million in cryptocurrency, but was later arrested in June.

Bug bounties aren’t always black and white, however; a gray area also exists. Some companies acquire premium zero-day vulnerabilities with functional exploits from security researchers and companies, and report the research, along with protective measures and security recommendations, only to their corporate and government clients. There are also quite a few companies that develop or buy vulnerabilities.

Zerodium, for example, buys zero-day vulnerabilities to create and sell tools, paying no less than $1.5 million for an iOS vulnerability that doesn’t require the victim to click or do anything before infection, meaning all that is required is to “exploit” the vulnerabilities. These companies aren’t using vulnerabilities for the same nefarious purposes as those on the black market, but the fact remains that they’re making a profit off while failing to disclose vulnerabilities publicly in a way that would benefit the industry as a whole.

Celebrating ethical hacking and public disclosure

The market drivers on all sides of the bug bounty business and the larger questions of what’s ethical shadow another important debate within the security industry: how can the industry become more centered on collaboration and information sharing for good?

We’re shifting in that direction, however slowly, but we need to do more to really advance the industry. The bottom line is we need to encourage ethical hacking and promote public disclosures so that we’re all working with better products and keeping users safe.