Crowdsourcing cybersecurity

The gig economy is transforming everything from transportation to hospitality. Now, a number of startups want to do the same for secure computing.

This article is part of a special CXO Report on the cybersecurity talent pipeline. Read the entire report.

Uber can make anyone with a car and a smartphone a part-time cab driver. Today, three West Coast startups are giving anyone with coding smarts — and good intentions — the chance to get paid handsomely while helping to fill the vast cybersecurity talent gap.

The companies — HackerOne, Bugcrowd, and Synack — are driving a rapid expansion of so-called bug bounty programs that offer rewards to ethical, or “white-hat,” hackers for rooting out and reporting flaws in computer software, hardware, and networks. And the rewards — occasionally gifts but usually cash — can reach as high as six figures for some of the most critical flaws.

“More than just your internal security team, you get the experience and diversity of hundreds of hackers all going after one target,” says Synack co-founder and CEO Jay Kaplan. “Plus, you’re utilizing the skills of a lot of people who have no interest in working full time for cybersecurity companies.”

This crowdsourcing model has added as many as 200,000 hackers to the undermanned cybersecurity workforce, making it a significant element in the security strategies of numerous small businesses and more than a few household brands.

Thirteen of the 24 largest technology sector companies in the Fortune Global 2000 have policies that include vulnerability disclosure programs to encourage hackers to find and report bugs. Seven of those offer bug bounties, including Apple, Google, and Microsoft. So do Starbucks, United Airlines, General Motors, and the U.S. Department of Defense. And, yes, Uber.

All work with one or more of the three companies. Customers pay them to oversee their bounty programs and to get access to their pool of hackers (or more politely, “independent security researchers”). Customers typically pay the bounties as well, although Synack, for one, provides that as a managed service. More noteworthy than who pays is how much: depending on severity, an average of a few hundred to a few thousand dollars for a single bug. Given the Ponemon Institute’s estimate that the average data breach in 2017 cost $3.62 million, it’s small wonder that the organizations adopting bug bounty programs view them as a bargain.

Count Shopify among them. The e-commerce platform for small retailers has paid out more than $700,000 in bounties (for about 700 bugs) since joining the HackerOne platform in April 2015 and is more than satisfied. “Bug bounties are an essential part of our security strategy,” says Peter Yaworski, the application security engineer on Shopify’s bounty program. “We get attention from top hackers — thousands of security researchers who’ve helped us build a more reliable platform.”

Headwinds in nontech sectors

For all the growth in crowdsourced cybersecurity, however, a 2017 report from HackerOne notes that among all Fortune Global 2000 companies, just 6 percent have vulnerability disclosure programs. Adoption has been markedly slow outside the technology sector, even as technology expands into every corner of the global economy.

Home Depot, for instance, has no vulnerability disclosure program in place — three years after a security breach that affected 50 million customers and cost the company a $25 million settlement. Besides United, Lufthansa is the only airline with a VDP, while Starbucks is the sole dining chain with one. And despite the rapid development that’s taken place in putting autonomous cars and trucks on the road, just three out of 31 auto and truck makers have VDPs: General Motors, Tesla, and Fiat Chrysler.

A generalized fear of the hacker community is one obstacle. “The idea that 100 of the world’s top hackers are going to attack their systems scares a lot of people,” says Synack’s Kaplan.

When he and Synack co-founder Mark Kuhr left the National Security Agency to form the company in 2013, Kaplan says, “we found our number one challenge was convincing customers that crowdsourced cybersecurity could be trusted.”

With popular perceptions of hackers being shaped by the media’s spotlight on high-profile cybercrimes, that can be an uphill push. Witness the Uber hacker case, which last year created something of a public relations crisis for the crowdsourced model. The company concealed a 2016 data breach from its customers, drivers, and the general public for a full year, a cover-up aided by a questionable $100,000 payout to a hacker. Uber initially claimed it was a standard bug bounty but has since acknowledged that it was a ransom payment extorted by the hacker.

Organizations considering a VDP also need to think twice about the pull of the unregulated global gray market for big-impact bugs. That is where government agencies, security companies, and brokers buy, sell, and hoard undisclosed critical vulnerabilities — so-called zero-day exploits — for sums up to 10 times what a hacker could get through a legitimate bug bounty program. For example, in early 2016, the FBI reportedly paid more than $1.3 million for a software flaw that allowed it to unlock an iPhone without Apple’s assistance.

Another potential roadblock is the staffing, technical expertise, and in-house leadership required for organizations to respond effectively and quickly to a geyser of vulnerability reports, especially in heavily regulated industries where safety is a big issue. That has been a concern, for example, in the automotive industry.

Current high-end cars each have about 100 million lines of code, seven times the amount of code in a Boeing 787. That presents hackers with an enormous attack surface — and anyone trying to sort through and validate bug submissions with an enormous headache.

The Automotive Information Sharing and Analysis Center, an industry-operated organization created to promote cybersecurity awareness across the global automotive industry, is encouraging the adoption of vulnerability disclosure programs. AISAC executive director Faye Francy says the organization has initiated a strategic partnership with HackerOne, but they want to take a deliberative approach to expanding bug bounty programs.

“You need the internal people to respond quickly to the (hackers’) findings and prioritize them,” Francy says. “Some companies are not yet equipped to handle it. It gets back to personnel.”

Building trust, driving growth

Bug bounties are not truly new. They have been around since 1983, when a San Francisco tech company ran print ads promising a free VW bug to any hacker who could find a bug in its newest OS. With the multimillion dollar backing of private investors, HackerOne, Synack, and Bugcrowd have moved well beyond that breezy, serendipitous approach to ramp up and professionalize the model.

While each manages the hacker-customer relationship differently, they share a common focus on building trust. They enact hacker codes of behavior and policies to expedite the processes that keep customers and hackers alike satisfied: validating and fixing the bugs and paying the bounties promptly. And they’ve adopted vetting processes for hackers — assessments of skills and trustworthiness, and in certain instances, background checks. Synack mandates those, as well as interviews — a gauntlet that Kaplan says weeds out 90 percent of the hackers who apply to work for them.

Sam Houston, senior community manager for Bugcrowd, says his firm also uses public bounty programs — those open to any hacker — to help test rookie hackers. Only strong performers graduate to private programs, which are by invitation only and frequently involve choice digital assets and plum bounties.

Once assigned to a project, hackers are connected to their targets through virtual private networks. That is yet another security measure; hackers’ work can be monitored and audited in real time. But it also affords insight into their unique skills, “the different tricks of the trade that they’ve picked up,” says Houston.

The companies are also out to upend the popular perception of hackers as hoodie-clad loners subsisting on caffeine and corn chips, and they are pretty successful at it. Their websites are replete with profiles and videos of hackers talking about what drives their passion for bug hunting. And both Bugcrowd and HackerOne publish lengthy hacker survey results, profiling their hacker communities by age, nationality, education, profession, hacking experience, and motivation.

The picture that emerges is of a group of 18- to 40-year-olds who hack as much for fun, challenge, and professional advancement as for money. Only about one out of seven makes a living as a bounty hunter. About half are employed full time in IT software or hardware development.

Typical is a Bugcrowd hacker, Matt Layton, who works full time as a security engineer at Audible, Amazon’s e-book developer. Layton worked on his first bug bounty program about 18 months ago and says, “The biggest thing for me is extending my knowledge and getting exposure to different technologies and companies in a field that is constantly changing.”

These moves to transform hacking and its Wild West reputation into a reliable option for computer security have helped inch up adoption outside the tech world.

Of the bug bounty programs launched in 2016 on HackerOne’s platform, 41 percent were from nontechnology sectors, including government, media and entertainment, financial services and banking, and e-commerce and retail.

Bugcrowd reported a similar rise in industry diversification, with 140 percent combined growth in bug bounty adoption among automotive, leisure/travel, computer networking, healthcare, and financial services companies.

Based on the companies’ own reports — there is no independent source of bug bounty statistics — the overall number of programs has also shot up. Enterprise programs launched on Bugcrowd’s platform have more than tripled since April 2016 and now stand north of 600. HackerOne has introduced bug bounty or disclosure programs with more than 1,000 organizations worldwide, and Synack’s client base has grown 800 percent since the end of 2014.

The size of the bounties is on the rise as well. According to HackerOne’s 2017 report, the average cash payout per critical vulnerability on its platform had increased by 16 percent since 2015, to $1,923, while Bugcrowd’s average payout on all vulnerabilities in 2017 was $451, up from $295 in 2016.

Bigger bounties and more programs with more challenging targets have translated into a fast-growing hacker community. Bugcrowd’s community has nearly doubled in two years to more than 70,000, while HackerOne can call on 166,000 registered hackers, up from some 120,000 six months ago.

“Not a panacea”

That kind of growth has some in the industry worried that bug bounty programs are being oversold as the ultimate solution to every organization’s cybersecurity issues.

“You have to be really sober about what bug bounty programs can and cannot do,” says Dan Guido, founder and CEO of Trail of Bits, a New York-based cybersecurity firm. “They offer great opportunities for young people to gain experience and learn. But for companies, they should be an insurance policy, not the solution.”

Small businesses that cannot afford a big security budget can take inexpensive steps short of depending on a bug bounty program, says Guido, like minimizing exposure of personal information on their sites by shifting storage and risk to a trusted third-party vendor.

John Manferdelli acknowledges that the crowdsourced model makes sense, but he is concerned that bug bounty programs are being used to make up for bad software design decisions. Former engineering director for production security development at Google and now executive director of Northeastern University’s Cybersecurity and Privacy Institute, Manferdelli says crowdsourced security is most valuable when it is built into the design process.

“If your attitude is that you’re just going to build stuff and then let people have a go at it, you can get a false sense of safety,” he says. “If your product has a lot of problems built into it, what bug hunters find could be pretty random. It’s not a panacea.”

Bugcrowd’s Houston agrees that crowdsourced security should be just one element in an organization’s overall cybersecurity package. But he also believes that software designers are totally focused on their role as creators — and the hacker’s “break it” mindset is the needed corrective.

“The people who develop software aren’t thinking in an adversarial way, they’re thinking like somebody who wants to build a product and get it out to market,” says Houston. “Feedback from the hacker community enables the builders to continue to focus on building. It’s about fixing it and learning from it, so you don’t repeat the same mistakes in the future.”