Why I stopped chasing vendors and decided to get the credit and payout I deserve for my research
Over the past fifteen years, the act of disclosing vulnerabilities and bugs found in hardware and software, became mainstream.
Security researchers reporting 0-day vulnerabilities to affected vendors, got the researcher in charge of the finding, with recognition and a small reward — all while strengthening and keeping secure the online ecosystem.
When disclosing first became popular, the process was straightforward: a responsible researcher submitted the vulnerability to the vendor via email. Once the vendor became aware of the issue, the vendor typically understood and fixed the vulnerability.
The next step was publishing a fix so that the vendor’s customers could implement the fix and avoid getting hacked by bad guys exploiting the vulnerability.
Chasing Vendors
This has changed in recent years. On one hand, some Vendors have a professional team at hand, handling these kinds of findings and publishing them in a couple of days from submission. These vendors will usually have their own disclosure guidelines/bug bounties meant to cover all sides of their product.
But not all vendors have these teams and guidelines, which means that sending a vulnerability report to the vendor directly may be a bit like sending it to a “black hole”, the process has an uncertainty to it.
In many cases, you should expect to receive a very late response or even not get a reply from the vendor at all. In extreme cases, vendors may accuse researchers of reverse engineering their products, searching for bugs for the sole purpose of quick cash or doing it as a publicity stunt.
In these cases, a vendor might further demand that you hold your findings secret and not publish it, possibly under legal threat, since the vendor is concerned of potential damage to its reputation.
Getting the most out of your day
We recently interview one of SSD secure disclosure’s top security researchers, which focuses on low-level kernel research, who had recently chosen to abandon direct vendor disclosure.
We asked him about his recent change and how his day to day looks like right now. The researcher had chosen to remain anonymous for this article, due to (as he describes it) “[the] toxicity of the public infosec community”:
Tell us about your research prior to 2020
Being part of the Infosec world for the past 15 years, my focus was and still is in low-level kernel research. With recent development of mobile devices, and increased interest in them, my focus has adjusted to iOS and Android, on various devices and manufacturers.
Being a full time vulnerability researcher, my day to day routine up to six months ago was composed of waking up, making coffee, catching up with social media (mainly twitter) and emails. Then I would follow up on all my vendor submissions — see if they require attention or a response. This would take around an hour, which I would then proceed to doing actual security research”
Describe your work process with vendors?
In the early days, once you found a potential bug, you would contact the vendor, send them the information about your finding and wait for them to react in some way to it. Payouts were low and my main goal was to get my name out there.
These days, I am seeing a huge rise in vendor’s bug bounty programs which makes the community very large with many looking into the exact same product and vulnerabilities. This causes vendors to respond much slower, as they are handling many more reports.
This sometimes makes you wait a couple of months before you get through the whole process for a research you spent hundreds of hours researching. Causing payouts to get delivered to you months after your initial submission, making this an unreliable source of income.
What were the benefits of being a freelancer disclosing directly to the vendor?
Years of working with certain vendors have allowed me to get an inside contact in these companies allowed me to approach them directly and not go through the hassle of the initial email, self introduction, etc. Getting my foot through the door took me three years!
This speeds up the whole process and also allows me to gain insight to what the vendor expects me to provide them in the future, what would be not beneficial for me to perform research on, etc
What made you stop reporting directly to vendors?
With the pros I mentioned, speedy processing and insight, once the ecosystem started filling up with an overflow of researchers, focusing on mobile and OS as Apple and Google became major players, it became a much slower, non rewarding process to go through.
Most vendors I was working with, eventually became unresponsive and bounties were significantly reduced with some products having almost zero payout — or just swag (hats, shirts, etc) — compared to the time spent on researching them.
Over the last six months, I have made the switch to disclosure services, handling all the reporting and verification hassle.
Payments are much better and my overall experience was improved, especially with a person being a point of contact rather than just an “email”.
Further, vulnerabilities that I disclosed to them were paid out to me even before the vendor paid them [the broker].
Any tips for industry newcomers?
I recommend focusing your scope on a tier of software or hardware you have an interest in — for example, if you love the world of CMS, you should focus on WordPress, Confluence and Joomla vulnerabilities.
Connect and network with multiple researchers and brokers covering your scope, especially those who can teach you something you don’t know.
Many researchers have gone freelance due to the COVID situation so there are many discussions and threads about new opportunities.
Last but not least, do your homework before submitting. Many product vulnerabilities are no longer of interest to the vendors. Services such as SSD will usually find out if your finding is worth something in a matter of hours, so you won’t be wasting your time.
New opportunities
As we mentioned in our previous piece, with COVID-19 posing new challenges to society and the worldwide economy, many new and veteran professionals are choosing to go freelance.
The high overall revenues and the low risk factor attracts security researchers, hackers from all fields of code to work with broker disclosure services, resulting in industry growth and higher payouts for unique findings.
SSD helps researchers disclose vulnerabilities affecting major operating systems, software or devices. SSD serves as a hub for researchers to keep and explore their scope of interest, submit their findings and be rewarded as they always did.
If you also made the switch and are looking to get a trusted partner on your end instead of chasing vendors, get in touch, disclose your findings and enjoy discreet, quick handling and generous rewards.
Join the conversation:
https://twitter.com/SecuriTeam_SSD
https://twitter.com/typhooncon
https://www.facebook.com/typhooncon/
