Lawmakers look to bug bounties, but experts warn of unexpected work

Lawmakers look to bug bounties, but experts warn of unexpected work
© Getty

The latest trend in cybersecurity legislation is “bug bounties,” rewards programs to encourage independent researchers to help defend other people’s networks. But experts say what is often pitched as a plug and play, easy fix solution, requires far more groundwork than what legislators and agencies might realize.

Lawmakers are currently mulling three bills to create bug bounties.

The Hack the Department of Homeland Security Act would require the department to offer cash prizes to any researcher that reports a security flaw in a Department of Homeland Security (DHS) system. DHS can then patch those flaws, stopping hackers from taking advantage of them.

The Treasury Innovation Act would do the same for the Department of the Treasury, while the Securing America's Voting Equipment Act, released on Tuesday, would open a bounty program to alert elections systems manufacturers.

ADVERTISEMENT
The bills take some steps to prepare agencies for a bounty program, but people who run the programs worry that legislators or agencies may start setting themselves up for failure. Even sophisticated businesses often underestimate the amount of work that goes into opening one of these programs.

“People come to us saying ‘We want to open a bug bounty right away,” said Casey Ellis, founder and chief technology officer at Bugcrowd, a firm that helps companies develop bug bounty programs. “We have to tell them, ‘No you don’t.”

Opening the floodgates for users to submit bugs only works when there are processes in place to analyze submissions, sift out duplicates and bad leads, and prioritize and repair the bugs. That infrastructure takes time, money and practice.

“I like to say there are a bunch of different muscles you need to learn how to flex,” said Ellis.

Most organizations exist on a model where maintenance and upgrades can be planned and neatly scheduled.

Government agencies traditionally do considerable deliberation before making technology changes. Introducing a bug bounty program, said Ellis, means changing to a model of continuously interrupted plans as newly-discovered security flaws shift priorities or make certain upgrades impossible. 

This does not mean that bug bounties are not useful. Businesses from Microsoft to Etsy have seen value in the programs. The government has run a few successful bounties in the past, most notably at the Department of Defense with Hack the Pentagon, Hack the Army and Hack the Air Force programs.

But those didn’t open overnight.

“It took more than two years to organize Hack the Pentagon,” said Katie Moussouris, founder and chief executive officer at Luta Security, a consultancy focused on bug bounty strategy. Moussouris is best known for her time at Microsoft, where she launched the Redmond-based tech giant’s bounty program.

Moussouris notes a number of stumbling blocks organizations face along the way to starting a bug bounty program. Many already have a backlog of bugs they know need fixing, but have not been able to fix with current manpower. Others may be used to being able to only reassign tech staff for occasional fixes and are not prepared to have a continuous flow of vulnerabilities. Still others launch a bounty before running simple, cheap systems checks, forcing them to pay thousands of dollars in rewards for work she said “an intern could do.”

There are legal preparations that need to be made, said Moussouris, including designing program terms that prevent malicious hackers from being able to say they were just participating in the bounty.

Governments, she said, are bound to face even more problems. There are a variety of services agencies run in conjunction with other agencies — who would be in charge of a security flaw affecting a joint Department of Homeland Security-FBI facility?

The voting equipment bug bounty program may face an additional hiccup. States are in charge of voting standards, and many rely on an optional federal voting machine certification standard that makes the update process less agile.

“[T]o apply a patch, that version may have to be federally recertified, which isn't quick,” said Joseph Lorenzo Hall over electronic chat. Hall is the chief technologist at the Center for Democracy and Technology and the head of that group's new voting machine security initiative. 

Moussoris and Ellis recommend a tiered process. Before introducing a bug bounty, start with a program that allows researchers to submit bugs without the offer of a reward, and then continue with a private bug bounty with a limited number of vetted researchers. The slow-launch approach will allow agencies to adjust to life with a bounty and figure out some of the kinks.

The bills currently before Congress attempt to mitigate many of these concerns.

The Treasury Innovation Act and Hack the DHS Act both give agencies six months to develop a strategy, require the respective secretaries to talk with officials involved in the Defense bounties about potential pitfalls, and subcontract running the bug bounty and mitigating any discovered bugs to experts.