Can Asian Hackers Become Trustworthy Gig Bug Hunters?
Bug bounty programs are gaining traction in APAC. It is turning hackers into legitimate cybersecurity gig workers.
Facebook last year paid an Indian computer engineering student USD30,000 for discovering a significant vulnerability. Lazada also launched a program to offer security researchers up to USD10,000 per bounty. Singapore’s Government Technology Agency also discovered 33 valid security vulnerabilities in 2019 by paying USD30,800 in bounties.
Different from hiring a white hat or commissioning a penetration test (pen test), bug bounty programs operate on a crowdsourcing model. It enables enterprises to create a larger community of ethical attackers and reward them based on the discovery and reporting of bugs. Despite its rising popularity, the recent data breach conviction of Uber’s ex-CISO Joe Sullivan also raised attention and legal implications of bug bounty programs.
No bug, no pay
Most bug bounty programs are initiated by large enterprises. Cyberbay is making such programs more accessible to medium-sized businesses and start-ups in Asia. It is launching a bug bounty marketplace that links individual bounty hunters to enterprises of all sizes.
“We democratize pen tests, allowing enterprises of all sizes to access a larger community of cybersecurity talents for bugs and vulnerabilities discovery,” said Kok Tin Gan, chief technology officer at Cyberbay and a PwC partner. With a minority investment from PwC China, Cyberbay is bringing unlimited brain power to enterprises that often work with restricted timeframes and limited talents in regular pen tests.
Gan added that Cyberbay offered a formal mechanism to communicate, reward and recognize these talents. The outcome and success-driven model allows enterprises to set their prices to test the service and pay only when bugs and vulnerabilities are discovered.
Turn dark trades into legitimate ones
More importantly, Gan noted that Cyberbay provided a platform that encouraged hackers to become gig workers, moving from dark trading into legitimate ones. He added that most attackers are financially motivated, and a bug bounty marketplace reduced their motivation to attack by providing hackers a platform to receive a lucrative returns and legitimate recognition.
“Many of these attackers are intelligent but socially challenged to work in large enterprises and consulting firms. Without the bug bounty programs, they have fewer channels to monetize their talents,” he said. “We allow them to direct their energy and skills to more constructive contribution to the society.”
Gan added that PwC’s Hackaday has been grooming ethical hackers among Hong Kong university students. Cyberbay is a step forward in supporting these talents into becoming cybersecurity gig workers and bug bounty hunters.
DevOps drives bug bounty popularity
The rising demand for bounty hunters was mainly driven by DevOps, according to an Asia-based CISO of an insurance company that is planning to launch a bug bounty program.
In the world of DevOps and CI/CD, he said new updates were released almost three times a week. Conducting pen tests for all these micro-changes would prolong the release time and defect the purpose of agile development.
“With all these micro changes, info-security teams are also being challenged to timely integrate all security measures throughout the software development lifecycle (SDLC) process,” he said. “Bug bounty fills the gap with continuous monitoring, ensures the security posture of these apps, and identifies the impact faster and easier.”
Budget, trust, and legal implication
Despite its rising popularity, the CISO added bug bounty was best used as a complementary tool for existing pen tests.
“Bug bounty is good for handling mature apps with vulnerabilities that are not known,” he said. “If your apps did not have good governance, you will find a lot of bugs and run out of money very quickly. It will end up costing more than running a pen test.”
There are also concerns with trust and legal implications, according to Varun Kakkar, group head of cybersecurity at Tricor Group. The company has yet to take part in the bug bounty marketplace. He explained ensuring the bounty hunters are trustworthy and handling all the “what if” scenarios could be a tricky process.
“I’d say this [bug bounty program] is still in a bit of grey area from a legal perspective,” he said. “What happens if the hunters go rogue? What if they discover bugs from applications that are not part of the bug bounty program and started to ask for money?”
Gan noted that Cyberbay requires all its bounty hunters to have a legitimate bank account. Through the bank’s KYC process, Cyberbay can ensure the identity of each bounty hunter. He added that all assessment and hunting activities must also be conducted through Cyberbay’s VPN. The discovery must be reported through Cyberbay and is confidential only for the enterprise.
Kakkar added the recent Uber ex-CISO data breach conviction also raised other legal implications. Sullivan was found guilty of not disclosing a data breach of customer and driver records and covered the breach as a discovery from the company’s bug bounty program.
“What if an independent researcher discovered a bug and approached us for money, should we pay, or refer it to the bug bounty program?” he said. With the legal implications remaining uncertain, Kakkar noted having the legal team actively involved is important when taking part in any bug bounty programs.
Gan noted the bug bounty program was still a relatively new concept, and there was room for improvement for program operators to provide a better platform for bounty hunters. Recognizing some of the drawbacks and ethical issues, Gan said Cyberbay was committed to continuously improving its marketplace.
Cyberbay is currently under beta testing with its trusted bounty hunters and enterprises. Gan said the official launch was expected to be early 2023.
Sheila Lam is the contributing editor of DigitalWorkforceTrends. Covering IT for 20 years as a journalist, she has witnessed the emergence, hype, and maturity of different technologies, but is always excited with what's next. You can reach her at [email protected].
Image credit: iStockphoto/Jun
