As we approach into 2023, there is one thing that is for
sure, at least on the Cyber front: The
need for good researchers. True, one can
argue the fact that most AI and ML tools can pretty much do this, and give the IT
Security team a pretty painting of what future threats will look like down the
horizon.
While these tools are great in combing through huge amounts
of data, when it comes to research, it always takes human involvement in order
to confirm if something will be for real or not.
Honestly, finding good researchers is a hard task to accomplish. In fact, I have written about this in some detail
in a previous blog. It takes quantitative
skill, curiosity, persistence, and the ability to communicate results
effectively with the team. Some
researchers are hired on a contract basis, while most of these kinds of efforts
are spread throughout the IT Security team.
But yet, there is another way to get researchers onto your
team (and who knows, they might even make a good full-time employee). These are known as the “Bug Bounty Hunters”. These are the people who are given a security
vulnerability and attempt to find a solution to it.
If it is picked by the vendor, this person or team is then
awarded a good sum of money. We are
talking like five figures or even higher.
There is nothing new to this, many of the tech titans do it,
and even those not involved in the tech field even offer it. But one of the major drawbacks of this kind
of program is that it can take forever to get a payout. A large part of this is the review process
that is involved by the vendor.
Another complaint that the Bug Hunters complain about is
that the criterion for how the payout will be awarded is not disclosed.
There are other complaints which are stacking up, and these include
the following:
*How the vendor exactly classifies what a vulnerability
really is.
*They want to know more details about the previous year’s
payouts. They claim that once they know
this, they can then make a decision easier if they want to participate or not.
*How long it takes the IT Security team to triage their
incoming alerts and warnings. If this
process appears to be quick, then then the Bug Hunter knows that they are
dealing with the real thing, and not with an entity that simply blows security
related issues.
*Probably one of the most important: The rules of determining on the timeframe of
when the bounty will be paid. Of course,
everybody wants to be paid fairly quickly, but to be fair, the vendor also
needs some time to go through all of the solutions presented in order to select
which one will be the best to use. In
other words, some common ground needs to be found here.
*The vendors like to pay out as little as possible, and of
course, the Bug Hunter wants to get the maximum amount possible, because they
feel that their time is valuable, which is of course true. It is often advised that in these kinds of conditions,
and average payout is probably best.
*Bug bounty hunting is a lot like Penetration Testing, but
on the side of the Red Team. Therefore, the
Bug Hunter is going to have tear down the walls of defense of the vendor, in
order to find a good enough solution. But contracts need to spell out clearly
what get can ethically hacked into.
While this should take of the legal ramifications, it typically does
not. Therefore, the Bug Hunters are
often fearful if there will be some sort of reprisal by the vendor. Because of this, a clause known as the “Safe
Harbor”. This clearly states that a
vendor will not go after a Bug Hunter if their efforts that have been conducted
was the result of living up to the terms of the contract in good faith. While most Bug Hunters tend to be ethical in
nature, some are not. Therefore, the Bug
Hunter want to know to what degree that they will be protected and the other resources
that they can turn to in case they get burnt.
*Quickness: The Bug Hunters
want prompt answers to the above, and they want to hear from the people that
have actually requested submissions. But
above all, if their submission is selected, the Bug Hunter should be notified
promptly and the payout made the same day, if possible.
*Clear submission guidelines: The Bug Hunter wants to know up front what
the other requirements are for submitting a solution. They should not be told of what other information
is needed after the initial solution has been submitted.
*It is not the admin assistant that is reading the solution: Bug Hunters, if they are serious in what they
are doing, will prepare their solutions in a professional manner. It may require a lot of “geek-speak”, so they
expect the people that are reading the solution will actually have the same level
of expertise. In fact, this should be part
of the entire disclosure process: The
names and the biographies of the people that will be reviewing the solution should
also be provided to the Bug Hunter as well.
*An advocate: Unless the
Bug Hunter does their due diligence, they will want some outside support to
advocate for them in case something goes wrong.
IMHO, some sort of external third party should be used, such as a lawyer
that has a background in Bug Hunter cases.
My Thoughts On This:
In the end, implementing a Big Bounty program could be the best
way to hire a researcher for your company.
For instance, you will be able to witness firsthand the level of
expertise that is involved helping you to find a solution.
But remember, treat your Bug Hunters like you would like your
employees, with respect, honesty, and a clear lines of communication. But above all, make your payments
quickly. If you wait a long time to do
this, not only will the image of your company start to erode, but it will be
harder to find quality help when you need it the most.
No comments:
Post a Comment