RSAC 2017: The end of easy cash bounties
Industry evolution eliminates chances of bug hunters to get easy cash for trivial vulnerabilities.
Last week was unusually rich for the crowd security testing industry in terms of major events and announcements, many of which occurred during the RSA Conference.
Among the positive news, is the US government’s announcement to keep their bug bounty program under Trump Administration, giving confidence both to security researchers and to startups raising new millions from wealthy investors. Open Bug Bounty announced 100,000 submissions with over 35,000 fixed vulnerabilities. Meanwhile, new companies, inspired by existing crowd security startups, launched new platforms dedicated to security testing of IoT and other smart devices.
However, probably one of the most important news for the crowd security testing community is a partnership announced between Qualys, the global leader of automated security testing, and Bugcrowd, a prominent bug bounty platform. Henceforth, vulnerabilities detected by Qualys WAS won’t be eligible anymore for an award in bounty programs of joint customers. In brief: security researchers, making easy cash by reporting trivial security flaws, are out of the game now.
The days of unregulated Wild West bug bounty market are gone. Such a move was predictable, and is pretty reasonable. In one of my previous articles, I already spoke in details about certain advantages and pitfalls of bug bounties, including bug bounty fatigue phenomenon that was presented a bit more in detail at Black Hat last year.
The issue is actually quite simple: companies running bounty programs for years are usually much less tested, both in terms of quality and quantity, than newcomers. This is because a bug hunter’s chance to spot a rewardable vulnerability in a reasonable amount of time are almost zero - everything was already found and reported. Instead, security researchers are quickly jumping on new targets using Google dorking and arsenals of vulnerability scanning software to report the easiest security vulnerabilities before the others, and then switching to the next easy target. Such vulnerability reporting model was quite sustainable until now.