This morning my friend Casey Ellis, who's a really cool Aussie, sent me this link: http://bugcrowd.com so I went and checked it out. Now, admittedly you already probably know I'm not a huge proponent of "bug bounty" programs, as I see the abuses and failure potential outweigh the redemption value in the cases I've seen outside of the few 'big names'... but this caught my attention because they may actually be onto something.
The premise is that they're going to be your outsourced bug bounty program provider. I know, crazy right?
The objections I personally have with bug bounty programs is that they can run afowl quickly, and if the organization isn't set up to actually benefit from all the poking and prodding, what's the use? We'll need a thorough analysis of the pratfalls of bug bounties and what Casey's group is going to do to avoid them, but let's talk about bug bounties for a minute...
I asked Casey over Skype (heck, it's 3am down under as we talked!) some basic questions, starting with "Why do this?"
"Lots of businesses want to do this (have a bug bounty program) but have it in the "too hard basket" and we're trying to change that" says Casey. I certainly agree that a bug bounty program is quite the undertaking both internally and externally for any size company. Externally you've got a lot of work to do to connect with the community that will be poking at your infrastructure, and assure them your program is legitimate and at the same time try to not get played. Internally it's a political battle, I'm certain, as people struggle with the idea of external entities finding and exposing bugs in your infrastructure and applications! This isn't simple, and if you're an SME you're in even deeper waters. As a small-to-medium enterprise you may want to have such a program, but probably can't afford to staff it and run it, so it makes a lot of sense to have someone externally do this for you... assuming you can trust them enough.
My next big question for Casey was how he expects to run such a program where it's nearly impossible to control the external variables. When customer X signs up, do they just hang a "Hack us, we'll pay you for it" sign on their virtual front door? This is a very serious issue for which Casey's start-up has some "secret sauce" which I will let them talk about when they're ready ...suffice it to say that I've gotten a peek into the inner-workings of the practice and I think it could very well work. Their model eliminates the "open season" fear organizations may have, while providing legitimate and real value for a reasonable pay-out to the bug hunter.
Now, the trick is, as I've said for years, is to get value from this type of exercise. When Company X signs up for a "bug bounty as-a-service" program, the question isn't whether someone will find flaws in their infrastructure, applications, and services - it's how much of it will someone find and is Company X willing to fix the problems. Worse still is the question of does Company X have the resources to do so? My problem with bug bounty programs is that the bug hunter typically signs an NDA prohibiting them from talking about the things they find, in exchange for money. If the bug is juicy enough, we're to assume that the bug hunter will abide by the NDA they signed because the money will be worthwhile...as the broker Bugcrowd will need to ensure that the transaction is done sanely and that both parties walk away happy. In real life this is a lot easier said than done.
The big question I had for Casey is when Company X signs up for a 'bug bounty' program through them, is it just open season on their stuff? Apparently, the answer is no - but I like the way they've structured it. From what I can tell the client gets to dictate the nature of the engagement - much like a real-life penetration test, with rewards for the victors. The whole thing is time-boxed, and once the technologies are determined the scope is posted and bug hunters can 'apply' to join the program and hack away. That's a very interesting approach, limiting the potential liability and scope from "everyone" to those willing to claim to be ethical and know the technology in question. We'll see how this pans out in a few months, but I'd have to say I'm optimistic about the model ...now it's all in the execution!
So how do you keep organizations accountable for the bug that are found in their stuff? What about keeping the bug hunters from using their findings for nefarious pursuits? I don't know that the answers to that are clear right now... but Bugcrowd is certainly one start-up that I'm going to follow... it's an interesting new approach, and one that may very well have some very real value for those companies that can't afford big internal security teams staffed by expert ninjas... time will tell.