Since the invention of the internet, the risk of cybersecurity attacks has been a constant presence. But in the past 10 years, two of the most impactful trends in IT history–cloud computing and open source software (OSS)–have given that risk dimensions beyond our wildest dreams. (And that’s leaving digital transformation accelerated by the pandemic aside for the moment.)
The good news is that bug bounty and crowdsourced security are tailor-made to help address the problem, and their adoption by hyperscalers for their cloud products and open source projects is proving it.
Hyperscalers Double Down
Microsoft is an enthusiastic adopter of bug bounty, and recently announced that it paid out $13.7 million in rewards through its 17 active bug bounty programs over the past 12 months. (Bugcrowd processes bounty payments for Microsoft’s programs.) The bounty table is impressive: The Platform Program for Microsoft Hyper-V offers up to $250,000 for findings in the area of critical remote code execution, information disclosure, and denial of services vulnerabilities, and a similar program for Microsoft Windows Insider Preview offers a bounty range of up to $100,000 for critical/important vulnerabilities.
Possibly based on the rapidly expanding attack surface associated with cloud infrastructure (including the discovery of six critical Azure vulnerabilities in 2021), Microsoft expanded its bug bounty programs in the past year, adding “high-impact security research scenarios” to its Microsoft Azure Bounty Program.
Although Amazon Web Services has a less systematic approach to crowdsourced cybersecurity than Microsoft to date, it does accept vulnerability submissions for its cloud products and open source projects, and provides public infrastructure for running private bug bashes (with a goal of squashing 1 million bugs, collectively).
Beyond cloud infrastructure itself, cloud applications are inherently at risk due to potential misconfigurations or data exposure, insecure APIs, lack of tenant isolation, and numerous other reasons. As Bugcrowd Founder/Chairman/CTO Casey Ellis has remarked, “A lot of people would just assume that [security] is all sorted when they go to use a cloud provider — and might be a bit surprised to find out it’s not.”
Google Brings Bug Bounty to Open Source
Meanwhile, in August 2022, Google rolled out a new self-managed bug bounty program focusing solely on Google’s open source projects. The new Open Source Software Vulnerability Rewards Program (OSS VRP) will offer vulnerability rewards that range from as low as $100 to slightly over $31,000, with possible bonus increments that range to $1,000 in the case of a “particularly clever or interesting” vulnerability.
Google was an early adopter of bug bounty through what is now called its Bug Hunters Community, with 12 years of experience and more than $38 million in payouts on record. In 2021, Google disbursed a total of $8.7 million in bug bounty rewards to nearly 700 security researchers across 60 countries.
This new program is another proof point that the open source software supply chain has become nearly impossible to defend with traditional means due to complex dependencies, constant code churn, increased opportunities for malicious code injection, and other factors. In its announcement, Google cites a 650% year-over-year increase in open source ecosystem attacks, including the recent major incident involving Log4j.
Now that cloud adoption and open source software are ubiquitous, more security leaders are learning the lesson that Microsoft and Google learned years ago: that status-quo, reactive approaches to cybersecurity alone fall short as scale grows–and nothing says “scale” like cloud and OSS.
To learn more about crowdsourcing and cloud vulnerabilities in particular, grab a seat for our webinar on the subject with Enterprise Strategy Group cloud security analyst Melinda Marks.