COVID-19 & Cybersecurity: Disclosure and bug hunts on the rise
With COVID-19 posing new challenges to society and the worldwide economy, many professionals including coders, ethical hackers, security researchers and many others find themselves with much spare time on their hands and in many cases, looking for an additional revenue source.
In our last blog article we discussed how companies who encourage remote work are taking steps to ensure they are well protected. It is likely that over the coming weeks and months other organizations will choose to limit office access as well in order to protect their staff or due to low revenues will even be sending people home for good.
Disclosure/bug hunt grants financial rewards to those identifying and reporting valid vulnerabilities and exploits to their vendors or disclosure partners. In this article we will explore the pros and cons of getting into this lucrative world and serve as an alternative.
With more than $40 million USD given out in 2019 to ethical hackers in bug bounties, many are seeing these program as a holistic solution for an additional revenue stream. From the firms’ side, these programs allow their developers to discover and fix bugs before the general public is aware of them or before any harm is done. In some cases, disclosures submitted can reach tens of thousands of dollars, causing professionals to focus on independent bug hunting as their main source of income and learning.
As mentioned in one of our latest articles, there are two main ways to get started: You can find and disclose vulnerabilities to specific product vendors. If you possess expertise on a specific OS or hardware, the compensation may be extremely high. For example, in the case of the Android Remote full chain, you can get a couple of Million USD with only one full chain exploit. Some companies do not handle disclosures directly and in those cases a third-party service (Such as SSD Secure Disclosure) will be needed to reach these vendors and report the exploits. Another option is finding bugs in the service or product of the company running the bug bounty. This allows researchers to work on a bigger scale, as there are many more targets that can be attacked, and the difficulty is often lower than that of the first method.
Making the most out of the situation
The popularity of white hat hacking as a career has been soaring over the last few years, so much so that in the current crisis, it has become a lucrative career option and is rising in strong precentages. While in most cases, it’s the thrill of the challenge being the core motivation for hacking for most while the financial remuneration comes in a close second, COVID-19 is switching things up and ramping up numbers of researchers and hackers looking for a “full career” in vulnerability disclosure. Many are also using this route to learn new skills to help them stay in the loop (The core idea is that their experience in bug hunting will assist them in getting a job in cybersecurity after the situation calms down) and we expect to see another rise in independent research and disclosure.
In addition, having the option to go into this world as a beginner or a veteran, with the average submission payout in the big platforms coming in at ~$1,000, providing a valid option to work from home on your time and in your terms. Before the outbreak, most exploits and vulnerabilities submitted to SSD, were related to products and vendors. Our Intel Windows Graphics Driver exploit, Empire PowerShell showcase and the iOS jailbreak vulnerability are just a few examples of our day to day scope.
Risks and rewards
Essentially, white hats hackers and security researchers want to help organizations, but two-thirds of them saying they chose not to report their findings due to a variety of reasons. Four in ten stated that it was due to “threatening legal language” listed on the organization’s website, while one in five said that “companies didn’t have an obvious channel through which to report findings”. In some cases, the companies didn’t respond to bug reports.
As many companies like Apple do not commit to a minimum amount and do not communicate directly with individuals (given that some researchers prefer to stay anonymos), disclosure services act as the middleman. These services are becoming more and more popular as researchers can skip the hassle of contacting the firms, approving their findings and ultimately getting paid.
The high overall revenues and the low risk factor attract researchers from all fields of code to switch to disclosure services, resulting in industry growth and higher payouts for unique findings.
SSD helps researchers get to the bottom of vulnerabilities affecting major operating systems, software or devices. In these troubling times, SSD serves as a hub for many researchers to keep and explore their fields of interest, submit their findings and be rewarded as they always did. Since many have made the transition from working in an office to remote work, we see a rise in individual contributions and new researchers coming on board.
Make the most out of your time and expertise at home and join our rapidly growing team, disclose your findings and enjoy discreet, quick handling and generous rewards.
Visit our new site: https://ssd-disclosure.com/
Join the conversation:
https://twitter.com/SecuriTeam_SSD
https://twitter.com/typhooncon
https://www.facebook.com/typhooncon/
