You are here

The Bug Bounty Hunter and the New Zero-Day Exploit Economy

Bugs, also referred to as software vulnerabilities, are flaws that can be abused to cause a system or software to have unintended behaviors that disclose sensitive information, negatively impact availability, or provide unauthorized access. These bugs are what malicious hackers use to successfully achieve their after-action goals in a long kill chain of steps. Thus, the life cycle of a vulnerability to active exploitation can be described as starting with vulnerability researchers’ or malicious hackers’ discovery of a bug in a software or application, and if the bug is found by a malicious hacker, the active exploitation of the bug in the "wild" until the manufacturer or developer creates a fix or patch that renders the exploit ineffective.

I remember as if it were yesterday when Scott Chasin made the announcement in November of 1993 of a new mailing list called Bugtraq that would provide an unmoderated, open forum for security researchers and security practitioners around the world to collaborate on the discovery of new vulnerabilities and how to fix them. I first began getting involved in vulnerability research in my freshman year of high school in 1994, just a year after the mailing list was created. I created the vulnerability research team called Fate Research Labs and, along with our other researchers, published several vulnerabilities on Bugtraq (and had the privilege of publishing the first vulnerability on Bugtraq affecting virtual private network appliances under my moniker Loki). Bugtraq would soon become part of the SecurityFocus.com brand, a central nerve center prior to its acquisition by Symantec for all things cybersecurity research and news.

The open-disclosure community was historically very much self-governed and for a long time was the subject of much debate. Each researcher or "team" had its own set of guiding principles, rules, and timelines for the process of vendor notification and public disclosure. SecurityFocus attempted to create a set of community-developed rules or bylaws (referred to as its disclosure policy) that were largely adhered to. For the most part, vendors were given proper notice prior to the advisory being published on Bugtraq, along with a deadline for a patch to be released before the researcher(s) went public with the finding. Historically, vulnerability research didn't result in any profit for the researchers—most were just seeking notoriety.

Fast-forward 25 years and you have what is quickly becoming a new economy and career path as researchers who once chased notoriety and recognition give way to a new generation of bug bounty hunters seeking to earn millions of dollars as a result of their findings.

There are different types of bug bounty programs: those run by the vendors themselves in an effort to control the vulnerability disclosure as well as the patch development and release process, and those run by third-party, for-profit companies that fall within the crowdsourced bug bounty space. These companies (HackerOne, Bugcrowd, and Synack) help facilitate the creation, management, and disclosure of vulnerability bounty programs for companies and vendors. Think of these companies as the proxy or mediator between the researchers and the target under research. In April of this year, United Arab Emirates (UAE)-based Crowdfense caused a stir when it announced a record US$3 million payout for bug bounties under the banner of what it called its US$10 million bug bounty program for bounties on bugs in software affecting Android, iOS, Windows, and macOS. However, the discussion turned polarized when the company announced it would not be disclosing the vulnerabilities to the manufacturers but selling them to government agencies instead.

The vendor-run bug bounty programs are paying top dollar, with Microsoft paying US$15,000 for critical bugs with a cap of US$250,000. Even HP recently announced payouts of up to US$10,000 for vulnerabilities discovered in its printer line. HP selected Bugcrowd as its platform partner in a crowdsourced approach to the vulnerability management process.

The income received by researchers is no small change. Jobert Abma, co-founder of HackerOne, has earned US$80,000 in eight months on bug bounties and payouts to other researchers who individually earn US$200,000 a year at HackerOne. SynAck, for example, recently announced at the 2018 Money20/20 conference in Las Vegas that one of its own bounty hunters had received a US$1 million payout. The potential income that bounty hunters are earning is accelerating at a staggering rate. HackerOne announced it had paid out US$7 million in bounties in April 2016 alone.

So the vulnerability research mailing lists of the 1990s have all but disappeared and given way to a for-profit system that encourages more researchers and the responsible disclosure of discovered vulnerabilities. The once nascent bug bounty industry is continuing to grow at a rapid pace with growth largely fueled by venture capital in the tens of millions of dollars being poured into all three major bug bounty services—Bugcrowd, HackerOne, and Syanack.

But have these crowdsourced bug bounty companies made the black market of zero-day exploits now irrelevant? Are malicious hackers who are identifying zero-day bugs willing to sell their latest wares to the legitimate services of Bugcrowd, HackerOne, or Synack as an alternative to the money they can make on the black market? Only time will tell.