Ethics of Bug Bounty Programs: Free Markets, Oppressive Regimes, and Pop Tarts
I love Pop Tarts, the incredibly unhealthy breakfast snack marketed towards school-aged children. I am also a believer in free-market economics and Adam Smith’s theory of the invisible hand. Put simply, the invisible hand states that unobservable market forces naturally balance out supply and demand, allowing them to reach equilibrium without intervention. When I run out of Pop Tarts, I go to my local grocery store (yes, I still drive to the grocery store instead of relying on InstaCart, Safeway delivery, or Prime Fresh) and buy a box. When enough people follow my lead, the grocery store will purchase more from a distributor, who in turns purchases them from Kellog's, who buys raw materials such as flour and sugar from farms across the United States. Those farms will purchase security services from my employer, the leader in cloud security, who write me a check every two weeks allowing my sugary snack addiction to perpetuate. According to Adam Smith, governments and regulators do not need to intervene in an ideal world. However, many readers will know that we live in conditions that are anything but ideal. Enter the intersection of information security and free market economics: bug bounty programs.
Bug bounty programs have gained in popularity over the past few years and for a good reason. As more companies choose to connect more systems to the internet and migrate data and applications into the cloud, the attack surface increases exponentially. Whereas ten years ago an attacker would have to physically penetrate the premises of an organization to attack it, today's internet-facing, cloud-connected, and VPN-listening systems are vulnerable to attack from anywhere in the world. Whitehat, Greyhat, and Blackhat hackers would attempt to penetrate these systems with the lure of lucrative pen testing contracts, satisfying curiosity, bragging rights proving they could Hack the Gibson, or for malicious purposes. Before bug bounty programs, there was no way for Greyhats and Blackhats to monetize their effort. If they discovered a delicious zero-day vulnerability, they could responsibly disclose it to the vendor, hoping for, at best, a thank you note or sell it on the black market to an attacker looking to exploit that system. This system deterred responsible disclosure and encouraged Blackhat hacking, leaving most parties worse off.
Bug bounties are a schedule of payouts to anyone who responsibly discloses vulnerabilities to the vendor. The more difficult and higher severity of the exploit disclosed, the higher the payout; the free market at work. Many large organizations have their own internal bug bounty programs such as Google, Apple, and Microsoft, but many organizations choose to outsource their program to a third-party. HackerOne and Bugcrowd have emerged as leaders in the managed bug bounty industry. Companies like Tesla Motors and MasterCard have outsourced their bug bounty program to Bugcrowd, allowing Bugcrowd to handle the burden of finding interested hackers, testing and verifying the reported vulnerabilities, and managing payouts. Managed bug bounty programs enable organizations to crowdsource information security. Anecdotally, I have observed a steep drop off in exciting and novel attacks demonstrated at BlackHat and DefCon, which I attribute to the rise in popularity of bug bounty programs. Instead of waiting for DefCon and sitting on a novel zero-day attack for several months, hackers can instantly cash in that vulnerability, requiring a public disclosure when the company patches it, and move on to the next project to earn some bucks. Bug bounty programs reached a milestone last month when a 19-year-old Argentinian hacker was the first to claim over USD $1 million in bug bounties through HackerOne’s managed bug bounty program. HackerOne’s customer portfolio even extends to the US Department of Defense through its “Hack the Pentagon” program. Bug bounty programs are win-win-win since organizations discover unpatched vulnerabilities, hackers get paid for their discoveries and responsible disclosure, program managers take their fee, and the public gets more secure software and systems.
Organizations like Google, Microsoft, Apple, Bugcrowd, and HackerOne have strict codes of conduct and ethics. Their bug bounty programs exist to make software and systems more secure by patching previously unknown vulnerabilities. However, the flip side of that coin is the underground market for those same exploits. Organizations such as Zerodium and Celebrite represent the grey market for bug bounty programs. Zerodium offers eye-popping payouts for exploits and Celebrite famously charged the US FBI $900,000 to unlock the iPhone 5c belonging to a terrorist who shot up his company’s Christmas party in San Bernardino, California. Zerodium claims to purchase exploits to package them into a premium security feed service, which it sells to only a few hand-selected organizations, governments, and law enforcement agencies seeking the highest level of security. However, very little is known about the company as their “About Us” page is only 163 words long and providing only marketing speak. The reason Zerodium made it on everyone’s radar a few months back was its payout table with hackers claiming up to USD $2 million per exploit. Notably missing from Zerodium’s webpage is a code of conduct or code of ethics on how they handle the exploit information once they purchase it.
Last summer, Microsoft hiked their bug bounty payouts to $250,000 for a successful Hyper-V guest-to-host escape exploit, outbidding Zerodium and other bug bounty programs. This hike was a very attractive proposition to security researchers since Microsoft was managing the payout, it was almost certain that Microsoft would patch the vulnerability after being reported. In response to Microsoft’s move, Zerodium hiked their Hyper-V guest-to-host exploit payout from $200,000 to $500,000, eclipsing Redmond’s payout amount by double. These moves are using free market economics and the invisible hand to create a bidding war for exploits, which is useful for the security researchers discovering these exploits. However, my opinion is that the security community as a whole will suffer because of this.
Zerodium’s CEO Chaouki Bekrar explained in an interview exactly why he decided to hike payments. "However, we've recently observed an increase in demand from customers, [and] we have decided to increase the bounty to $500,000 to outbid vendors and all existing buyers.” The most concerning section of his statement is his reference to an "increase in demand" for these exploits. Since Zerodium only sells to a select few organizations, government, and law enforcement agencies, an increase in demand most likely refers to these agencies purchasing the exploits for use in an offensive fashion rather than ingesting the security feed to protecting their systems. Since Zerodium can resell an exploit one time for a large sum of money or many times for smaller amounts, companies like Microsoft, Google, and HackerOne cannot compete with Zerodium’s payouts. The latter organizations have no profit motive for purchasing the exploits other than to make their software more secure. As a result, previously undiscovered vulnerabilities will be exploited by governments with deep pockets and average users will have to live with insecure software. While it is not confirmed that Zerodium actively sells exploits for offensive reasons, the facts seem to support the hypothesis as it has been proven that governments will go to great lengths to acquire zero-day exploits and that is the only reasonable way Zerodium can sustain their payout table. Until Zerodium becomes more transparent or comes out and states that they do not sell exploits for offensive purposes or does business with oppressive regimes, it is reasonable to believe they do, given the facts.
According to economist Adam Smith, the free market works most of the time without the need for government intervention. However, this is an instance where oversight would benefit the security community in general. It is up to the individual researchers to sell their exploit to Microsoft for $250,000 and guaranteeing the vulnerability will be patched or to Zerodium for $500,000 without a guarantee of anything. The world had seen the effects of weaponized zero days when WannaCry used the US NSA’s stolen DoublePulsar exploit to spread itself to millions of systems around the globe causing billions of dollars in damages and disrupting everything from global shipping to hospital visits.
Advanced persistent threats are just that, persistent. If a nation state wishes to obtain access to a system or a key piece of information, they have almost unlimited budgets to achieve their goal and leverage organizations like Zerodium and Cellebrite to acquire zero days. However, organizations can take steps to protect themselves and make them much less attractive targets by taking a defense-in-depth approach with security. Utilizing a security-stack-as-a-service allowing for the same level of protection no matter where the user resides, multi-factor authentication, user awareness training, change management process, endpoint anti-virus, bulletproof backups, and a good incident response plan will significantly help an organization lower their attack surface and risk profile even against nation-state attackers. The only thing guaranteed in life besides death, taxes, and data loss is that for every security product that exists, a dozen vendors are waiting to sell you something.