About 10 years ago, the two leading crowdsourced security platforms, HackerOne and Bugcrowd, brought crowdsourced security into the mainstream. Their angle was to harness the power of individual security researchers spread across the globe and provide an outlet for companies wishing to have their products tested not by a single pen-testing company or individual but by dozens and sometimes hundreds of researchers at once.
Having been there since the beginning, it’s fair to reflect on what’s changed over that time. Has crowdsourced security displaced pen-testing companies? Have they made a difference in the security world? Are individual researchers still enjoying bug bounty hunting?
Displacement of Pentesting Companies Hasn’t Happened, But we Now Have More Choice
While the aims of crowdsourced security were lofty, one of the goals was to give companies an alternative to traditional pen-testing services and companies that typically offer a ‘pay per day’ business model of hiring out a pentester to test an asset and find vulnerabilities within a certain time frame. There are many disadvantages to the traditional pen-testing approach, and crowdsourced security does go some way to resolving these.
However, crowdsourced security brings its own problems, namely that these firms still cannot compete at the same price point as traditional pen-testing companies. For a middle-sized business, a pentest still is better value from a cost perspective, even though a crowdsourced pentest usually unearths harder-to-find and more critical vulnerabilities. When pentest companies still charge approximately $1000 USD per day, and you’re looking at 5-7 days for a website test, there’s no commercial benefit for a medium-sized company doing this via the crowdsourced route since this will be at least double the cost (some crowdsourced platforms also charge per vulnerability found, which inflates the cost even further).
Researchers Are Starting to be Treated a Bit Better, But There’s a Long Way to Go
The crowdsourced platforms are commercial entities focused on winning business and rely mainly on a ‘gig economy’ that doesn’t pay researchers for their time but for the number and criticality of vulnerabilities found. This differs greatly from traditional gig economy businesses as there are so many caveats – mainly that if you find a vulnerability, there are so many hoops you have to jump through to get paid that most of the time, you would not get paid at all.
Thankfully, crowdsourced platforms have slowly become more researcher-centric as they understand and appreciate that ‘the crowd’ is not a bottomless resource. There are so many crowdsourced platforms today competing for a finite resource it makes sense to treat them properly rather than use them as an expendable resource. For example, Bugcrowd has recently started using ‘Hacker Success Managers,’ much akin to a customer success manager but focused on the researchers themselves: keeping them engaged, dealing with any issues they may have on the platform and helping them with escalating problem queries.
Synack, another ‘private’ crowdsourced platform, is finally getting rid of its infamous ‘24 hour rule’ where the first researcher to find a vulnerability wasn’t rewarded, with the reward instead given to the best write-up of said vulnerability. This caused some ridiculously long-winded vulnerability submissions that started with ‘step 1, open your browser.’ Finally, researchers can now be paid in a variety of currencies. HackerOne, for example, realizing a significant number of their researchers were based out of India, offers payouts in Indian Rupees instead of the ubiquitous US dollar.
Unfortunately, the core business model remains broken – you could spend eight hours on a bug bounty, find valid vulnerabilities and still end up with nothing, effectively wasting your time.
Re-testing vulnerabilities on some platforms to see if they are fixed is also done pro-bono.
Companies Are More Open to Bug Bounties
Having personally experienced legal threats when finding a vulnerability in someone’s website or application and presenting it to the company directly, bug bounties have been a boon to security researchers who can now safely look for vulnerabilities on most of the internet’s real estate without running into legal trouble. This is also beneficial to researchers trying out new attack techniques (as long as they aren’t focused on denial of service) as they can be safely attempted on live production sites of many well-known products and companies in real-time. Bug bounty platforms also provide a clean, stress-free way of logging and submitting vulnerabilities to companies without having to hunt down an obscure security reference somewhere on their website, as well as having a direct channel to the developers while they are remediating it.
Good for the Industry as a Whole
Weighing up a decade of crowdsourced security, I feel it’s generally been positive. It gives a feeder activity for people looking to recruit pen-testers, provides more freedom for security researchers to get engaged with companies and gives companies another choice instead of being locked into only picking one type of pen-testing company for their testing needs. On top of this, we’ve been rewarded with some high-profile vulnerabilities in certain companies that would never have been discovered in pentests. While there remains a lot of work to be done in the industry itself, it’s become a part of the landscape now, and I look forward to seeing how it will evolve in the next 10 years.