Subsidizing the rise of the machines
Kick-starting your automation with “cheap labor” as a service. The rise of machines by companies developing disruptive technologies and changing the world.
The Background
In the case of Security, one could argue that the Uber of this industry are Bug Bounty companies. They took an industry controlled by consultant security companies reporting vulnerabilities and getting paid on an engagement base payment into what some people call a “democratized world” where responsible disclosure became the world of “civilized mercenaries” or as many bug bounty like to put it they give everyone a change to get paid for their job.
But, is it really what Bug Bounty companies are here for ? A lot of them keep on spreading to other areas, selling “engagements” or even venturing in the profitable yearly PCI penetration tests arena.
Investors are not here to help anyone, clearly not here to help any poor researcher doing its best job from some random country to find vulnerabilities and make a living nor to make their customers more secure. Investors are here to make $$$$$. This drive to take businesses to new levels and maximize earnings, regardless of who is reporting the vulnerabilities is what I believe is going to support the rise of the machines, as it is happening with Uber replacing drivers with self-driving cars in the medium-long term future.
Machines are replacing humans, so why not hackers …
The Security World
Just like Uber, this “independent” AKA W9 work force is here just to pay for the long-term inevitable end-to-end automation in order to scale and maximize earnings. So as much as the Bug Bounty industry might deny it or even potentially don’t even realize it yet, they are only using researchers for the time being until the day autonomous bots/machines/AIs are good enough to find and report vulnerabilities on new companies.
So is this a bad thing, are these companies evil. No, by no means, this is just inevitable. Evolution at its best. Cars will drive by itself, supermarkets will at some point remove all humans employees, and more and more jobs through time will be replaced by non-humans machines that will in time keep getting “smarter” and smarter.
When it comes to security, we hackers tend to think we have a very special job that only a human can do, and to some respect it is true. But with time that edge will disappear and more and more of the vulnerabilities will be easily found by computers and bug bounty companies — or some competitor — will sell them to companies in the form of bounties or whatever they might be call.
I am sure some of the best bug bounty researchers already use automated-scripts or applications to find new vulnerabilities, next step will be to automate the reporting and after that these systems will be absorbed into the bug bounty companies and with time the same people that kick-started these companies will either evolve or will get replaced by the same companies they help create.
Irony is a biatch, but again, I am against this progress?. Hell no, I am a HUGE fun of Artificial Intelligence and I think it will help the world be a better place, if we use it correctly. What is more, ever since I joined the security industry I always wanted to work and develop technologies to run me out of a job. I have developed some automation tools, but very basic. So if I, a person without any scholar teaching in the world of artificial intelligence, can develop basic tools, I have no doubt people will eventually force me to evolve and/or leave me outdated, slow and out of a job.
I do not think for now AIs are capable of performing human level out-of-the-box thinking required to find new clever vulnerabilities.
Humans hackers will still exists for a long time in Bug Bounty programs, but the big mass of researchers will be replaced by an elite of skillful hackers capable of finding new and complex vulnerabilities that AIs cannot find.
Although, with time that edge will keep on getting smaller and smaller up to the point that the technology will get good and cheap enough companies can directly build these technologies themselves and no longer depend on the experienced BugBounty firms.
Final thoughts
In any case, this rant is not about wether Bug Bounties are good or bad nor whether what companies are doing is even unstoppable, but to provide my humble crazy opinion on where I think this is going and to allow others to look at the past/present/future options and decide wether you want to support this evolution and understand the consequences. Or maybe you will realize you want also do these yourself and create the next wave of penetration testing and bug bounty companies that will take us into a new age of truly Artificial Intelligence based automated security, which I can’t wait to see come a reality and stop being a cyberpunk dream ….
In other words where are my Hacking Assistant AKA Tachikoma ???
