February 29, 2024

One cybersecurity area that I tend to spotlight involves vulnerability management programs.  From vulnerability discovery, disclosure, sharing, prioritization, and remediation, there are many different types of tools, processes, and programs that can be employed to manage this problem. One unique vulnerability management program that has evolved significantly over the years is bug bounty. The issues that this evolution has created were succinctly addressed at a recent University of Maryland conference by Dr. Rahul Telang, a Professor at Carnegie Mellon. I found his review quite useful information, and thought it should be shared more widely. So I was happy when he accepted my invitation for an interview on the subject. So learn more about bug bounty programs in this interview with Dr. Telang below.

Spotlight on Dr. Rahul Telang

» Title: Professor of Information Systems at the Heinz College at Carnegie Mellon University and at the Tepper School of Business

» Website: heinz.cmu.edu/faculty-and-research/faculty-profiles/faculty-details/index.aspx?faculty_id=104 

» LinkedIn: linkedin.com/in/rahul-telang-99b134

Read his bio below.

Chris Daly, Active Cyber™: What is a bug bounty? Why did bug bounties start and how has it changed the vulnerability discovery process?

Professor Rahul Telang, Carnegie-Mellon University: Bug bounty programs allow software vendors to pay third party hackers to discover bugs in their product. Bug bounty can be thought of as crowdsourcing for discovering vulnerabilities. It started when Netscape announced that it will pay hackers to find bugs in their product. For the first time, hackers were incentivized to discover vulnerabilities and get paid, resulting in hundreds of third party amateur and expert users looking for bugs in their product. Since the bugs will be reported to the firm, the firm will benefit since that information will not be misused.

Active Cyber™: How are bug bounties accomplished today? What are the different roles, who are the main players and how are they involved?

Professor Telang: While an individual firm can start their bounty program (big firms like Apple or Google and so on have such programs), it is hard to establish a program, attract expert hackers and establish rules for payment. Large platforms like Hackerone and Bugcrowd have filled up this gap where such platforms act as an intermediary between the firm and hackers. These platforms advertise bounties and attract hackers, establish rules for bug discovery and bounty and decide who and how much to pay for the bounty.

Active Cyber™: What is the typical profile of bug bounty workers? What is the range of payouts that a worker may receive? What is a typical payout?

Professor Telang: Most of these workers are young (below 30 yrs) and are outside the US. The payout varies a lot with some of the hunters getting large payouts (in six figures), while the majority of them earn less than $20,000 per year.

Active Cyber™: What types of incentives and disincentives are created by bug bounties for software providers? For platform owners? For bounty hunters? For users? Does the bug bounty program actually result in more secure code?

Professor Telang: One of the biggest benefits to the vendors is that, besides crowdsourcing bug discovery to a large number of bounty hunters, they can also control the disclosure of vulnerabilities. In short, vendors are able to buy silence from hackers who otherwise would make this information public. So software vendors not only get many eyes to scour for bugs, they are not worried about fallout from bug discovery. Since hunters can now get paid, they are able to generate some money. Since most of the hunters are based overseas, even a small payout is a worthwhile payment for them. Platforms benefit because as the number of firms participating in bounty programs increases, and more hackers sign up, they are able to generate their cut by connecting two parties.

Since bug disclosure becomes opaque, it is hard to know which firms are producing more secure code. When there is clear disclosure, there is broad learning about what causes bugs in the code and what remediation should take place. This learning extends to a broader range of software. Bug bounty programs make it hard for such learning to take place. Since vendors have less worry about bugs in their product, they have even more incentive to release the product faster and fix it along the way as bugs are discovered.

Active Cyber™: What is “safe harbor” and why is it important to the bug bounty program? Do all vendors support safe harbor? Does safe harbor apply the same way across different countries?

Professor Telang: Finding a vulnerability in a software product is fraught with legal risk. A vulnerability found in a product can be exploited by someone or information may be leaked and the user may be held responsible without significant legal recourse. This is more complicated when hackers are located internationally.

For the DOJ, standard “safe harbor” language generally includes at least three core elements: (1) a pledge that the organization will not pursue civil action for accidental or good faith policy violations nor initiate a law enforcement complaint; (2) a statement affirming that activities that are undertaken and consistent with the program’s policies will be considered “authorized” under the CFAA; and (3) a commitment that if a third party brings a legal action against a hacker that has acted in good faith, the organization will make known that the hacker acted in compliance with program policies

The bounty program does not and cannot indemnify hackers from third-party complaints. Additionally, for hackers working outside the US, domestic anti-hacking laws and regulations might present legal risks that are not addressed by the typical safe harbor language.  Even with the adoption of standard safe harbor language, hackers still face some residual risk. The effort to promote and attach legal safe harbors to bug bounty programs is important, but as long as anti-hacking laws in the US and elsewhere fail to protect well intentioned disclosures of security flaws, hackers still face significant legal risks.

Active Cyber™: How competitive is the platform market? Do you foresee greater expansion in the number of platform providers over the next couple of years or has the market reached maturity for the time being?

Professor Telang: Platforms exhibit strong positive externality. A platform that offers more bug bounty programs, attracts more hackers and vice versa. Thus this market is likely to sustain only a few large platforms even in the long term.

Active Cyber™: How will / does AI affect the bug bounty process and market?

Professor Telang: AI is likely to benefit bug hunters who can automate finding bugs. However, it will also benefit vendors who may be able to detect bugs before they ship the product. Therefore, the effect of AI is unclear.

Active Cyber™: What are some of the legal and ethical questions that remain outstanding when it comes to bug bounties? Who is leading the charge on these issues?

Professor Telang: In addition to what I said earlier, the ethics and legalities are evolving. Many different laws are applied in the case of bug hunting. There are efforts to streamline obvious legal hurdles, but as I noted, complete immunity will require change in laws regarding bug bounty.

Active Cyber™: What is the US government role in bug bounty programs? What does China do with vulnerability disclosure?

Professor Telang: Many legal statutes which affect bug bounty are written by the US Congress. So there has to be explicit change in legal language surrounding bug bounty. Otherwise, their actions are open to interpretation.

China enforces strong control on what and how vulnerability information needs to be disclosed. China is known to demand that firms report any hackable bug in their products to the Chinese government.

Dr. Telang, thank you so much for this overview of bug bounty programs, how the market for these programs are evolving, and the issues that go along with them. I believe the market and platforms are here to stay as CISA seems to advocate such an approach, and it also provides a way for equities to be processed. Please keep me informed on your views as this area matures even more. 

And thanks to my subscribers and visitors to my site for checking out ActiveCyber.net! Let us know if you are innovating in the cyber space or have a cybersecurity product you would like discussed on Active Cyber™. Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, authenticity, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing OT / IIoT and IoT systems, AI/ML, Augmented Reality, or other emerging technology topics. Also, email chrisdaly@activecyber.net if you’re interested in interviewing or advertising with us at Active Cyber™.

About Professor Rahul Telang. Rahul Telang is Trustees Professor of Information Systems at the Heinz College at Carnegie Mellon University and at the Tepper School of Business (Courtesy). Professor Telang is broadly interested in how the digitization of Information and Communication Technologies (ICTs) impacts consumers, firms and policy makers. He also studies information security and privacy extensively. He is co-director of IDEA (Initiative for Digital Entertainment Analytics) and has written a popular book. He is recipient of a NSF Career award, a NSA grant on work in information security and privacy, a fellowship from the Sloan Foundation, and numerous Google awards for studying digitization and media piracy. Dr. Telang has published in many top management and policy journals like Management Science, Marketing Science, ISR, MIS Quarterly, Journal of Policy and Management, and NBER chapters. He has held senior editor positions at Management Science, ISR (Information Systems Research) and MIS Quarterly.