Defining Intent in the Crowdsourced Security Model

Over the past few months, the widespread popularity and adoption of bug bounties and vulnerability disclosure have grabbed headlines. This rapid adoption paired with recent incidents have hastened the need to make sure things are defined clearly—specifically, the difference between bug bounty and extortion, a good hack versus a bad one. This has drawn the attention of the U.S. Senate, which ultimately is a good thing, important and expected.

We know that the crowdsourced model works—it’s the future of security. To ensure it has the most impact, we must marry the art and science of it.

In keeping with our commitment to transparency, honesty, and education, we thought it was a good time to discuss bug bounties in the context of the recent Senate committee hearing held on Feb. 6, 2018 “Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers.”The hearing examined the October 2016 Uber data breach, the bug bounty model as well the value and impact of vulnerability identification, the allegations of impermissible payments by Uber to conceal the security incident, and the appropriateness of the use of bug bounty programs as vehicles to pay out against extortion and other cybercriminal events.

First, I was impressed with and commend Uber’s leadership team, and specifically John “Four” Flynn the CISO of Uber, for clearing the air around Uber’s perspective on what the 2016 payout actually was stating: “We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company.” Uber spoke extensively on the value of bug bounty programs as part of a comprehensive data security program, lessons learned from the breach, and the path forward. The approach Uber took to the conversation was an important step towards clearing ambiguity on the subject and I commend Uber for getting on the front-foot to help, not only to protect this industry but to take it forward.

Second, it was fantastic to hear the lengths Senator Moran went to in explaining the value and benefit of the crowdsourced model and to distinguish—from the Senate’s perspective—the difference between white-hat activity and criminal behavior. This sets a tone for further conversations in the Senate and the U.S. Government and limits the possibility of the subject being misinterpreted by decision-makers who don’t spend as much time in cybersecurity as Senator Moran, Senator Blumenthal, and the others on the committee do.

The part that I found most interesting from the hearing was the discussion around a carve-out for “inadvertent white-hat behavior” in the mandatory breach notification laws currently being circulated on the Hill. Ultimately, this can be an incredibly good thing for the continued growth of the relationship between good-faith hackers and companies, and for the level of safety and safe-harbor, both sides enjoy when engaging to make the internet safer.

Implementing this won’t be without its challenges, and it’s important to ensure the appropriate frameworks are created over time, while also working to avoid any chilling effect on the benefit that has been created by this model. Vulnerability exploitation is, like many things, a dual-use activity able to be exploited for both good and harm. Determining the intent of a hacker as good faith or malicious becomes more difficult at scale.

It comes down to this: as a hacker, I have the imperative to demonstrate proof of the vulnerability I’ve just discovered. This is called a proof of concept, or POC. In many instances, a vulnerability leads to the ability to exfiltrate data from a target, and proof of exploitability requires a sample of that exfiltration to prove the validity of the bug. Here’s where it gets tricky… To people in the security industry, there’s a clear difference between a few records in a POC and 57 million records as part of an extortion attempt, but this difference isn’t drawn, written, or agreed on anywhere—nor is it discussed very often.

In Uber’s case, both the number of records exfiltrated and the subsequent communication from the attacker made it clear that it was not a bug bounty. As I’ve said before, paying a ransom is sometimes the logical approach to reducing risk, and in this instance Uber had to figure out a way to protect themselves and the exfiltrated data of their customers. The bottom line is this: the issue of intent and safe-harbor have been a feature of vulnerability disclosure (VDP) and bug bounty programs (BBP) for a long time now. There’s a lot of devil in the details, and I’m very happy to see the conversation continuing to escalate in importance and profile as this industry matures.

We’re in the business of finding vulnerabilities by introducing and encouraging the intelligence of the white-hat hacker community. This can be a frightening concept for folks who create, run and protect software, but it’s necessary to compete against the intelligence of the adversaries that are out there. The VDP and BBP models have operated on good faith for many years with good success, but the Uber Senate hearings suggest that it’s time to get busy working to define the difference between a bad hack and a good one.

It’s our mission to make the internet safer and to build an effective community of good-faith hackers dedicated to finding what other defenders cannot. Continuing to simplify the difference between good intent and bad is important and something that we consider our duty as leaders in the space. It has dictated how we have approached customer/researcher relationship building. We have built and continue to refine our platform to define intent and facilitate these relationships from a technology standpoint and create a home for all our hackers.

The Uber breach and the events that followed brought some much-needed awareness on a national level. Bugcrowd is committed to driving the market forward, building better tools and methods to define intent early and at scale so that this model continues to be successful. There is still a lot of work to be done to clearly articulate intent in our industry, but it’s clear that the world needs hackers – and it’s an exciting time to be a part of forming future of this relationship.