Saturday, November 5, 2022

Looking For A Good Bounty Hunter? Pay Attention To These Top Ten Needs

 


As we approach into 2023, there is one thing that is for sure, at least on the Cyber front:  The need for good researchers.  True, one can argue the fact that most AI and ML tools can pretty much do this, and give the IT Security team a pretty painting of what future threats will look like down the horizon. 

While these tools are great in combing through huge amounts of data, when it comes to research, it always takes human involvement in order to confirm if something will be for real or not.

Honestly, finding good researchers is a hard task to accomplish.  In fact, I have written about this in some detail in a previous blog.  It takes quantitative skill, curiosity, persistence, and the ability to communicate results effectively with the team.  Some researchers are hired on a contract basis, while most of these kinds of efforts are spread throughout the IT Security team. 

But yet, there is another way to get researchers onto your team (and who knows, they might even make a good full-time employee).  These are known as the “Bug Bounty Hunters”.  These are the people who are given a security vulnerability and attempt to find a solution to it. 

If it is picked by the vendor, this person or team is then awarded a good sum of money.  We are talking like five figures or even higher. 

There is nothing new to this, many of the tech titans do it, and even those not involved in the tech field even offer it.  But one of the major drawbacks of this kind of program is that it can take forever to get a payout.  A large part of this is the review process that is involved by the vendor. 

Another complaint that the Bug Hunters complain about is that the criterion for how the payout will be awarded is not disclosed.

There are other complaints which are stacking up, and these include the following:

*How the vendor exactly classifies what a vulnerability really is.

*They want to know more details about the previous year’s payouts.  They claim that once they know this, they can then make a decision easier if they want to participate or not.

*How long it takes the IT Security team to triage their incoming alerts and warnings.  If this process appears to be quick, then then the Bug Hunter knows that they are dealing with the real thing, and not with an entity that simply blows security related issues. 

*Probably one of the most important:  The rules of determining on the timeframe of when the bounty will be paid.  Of course, everybody wants to be paid fairly quickly, but to be fair, the vendor also needs some time to go through all of the solutions presented in order to select which one will be the best to use.  In other words, some common ground needs to be found here. 

*The vendors like to pay out as little as possible, and of course, the Bug Hunter wants to get the maximum amount possible, because they feel that their time is valuable, which is of course true.  It is often advised that in these kinds of conditions, and average payout is probably best.

*Bug bounty hunting is a lot like Penetration Testing, but on the side of the Red Team.  Therefore, the Bug Hunter is going to have tear down the walls of defense of the vendor, in order to find a good enough solution. But contracts need to spell out clearly what get can ethically hacked into.  While this should take of the legal ramifications, it typically does not.  Therefore, the Bug Hunters are often fearful if there will be some sort of reprisal by the vendor.  Because of this, a clause known as the “Safe Harbor”.  This clearly states that a vendor will not go after a Bug Hunter if their efforts that have been conducted was the result of living up to the terms of the contract in good faith.  While most Bug Hunters tend to be ethical in nature, some are not.  Therefore, the Bug Hunter want to know to what degree that they will be protected and the other resources that they can turn to in case they get burnt.

*Quickness:  The Bug Hunters want prompt answers to the above, and they want to hear from the people that have actually requested submissions.  But above all, if their submission is selected, the Bug Hunter should be notified promptly and the payout made the same day, if possible.

*Clear submission guidelines:  The Bug Hunter wants to know up front what the other requirements are for submitting a solution.  They should not be told of what other information is needed after the initial solution has been submitted.

*It is not the admin assistant that is reading the solution:  Bug Hunters, if they are serious in what they are doing, will prepare their solutions in a professional manner.  It may require a lot of “geek-speak”, so they expect the people that are reading the solution will actually have the same level of expertise.  In fact, this should be part of the entire disclosure process:  The names and the biographies of the people that will be reviewing the solution should also be provided to the Bug Hunter as well.   

*An advocate:  Unless the Bug Hunter does their due diligence, they will want some outside support to advocate for them in case something goes wrong.  IMHO, some sort of external third party should be used, such as a lawyer that has a background in Bug Hunter cases.

My Thoughts On This:

In the end, implementing a Big Bounty program could be the best way to hire a researcher for your company.  For instance, you will be able to witness firsthand the level of expertise that is involved helping you to find a solution. 

But remember, treat your Bug Hunters like you would like your employees, with respect, honesty, and a clear lines of communication.  But above all, make your payments quickly.  If you wait a long time to do this, not only will the image of your company start to erode, but it will be harder to find quality help when you need it the most.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...