Carowdsourced Security- What has happened during the past 10 years?
HackerOne and Bugcrowd, the two most prominent crowdsourced security platforms, introduced crowdsourced security to the general public about a decade ago. Their strategy was to make use of the power of individual security researchers located all over the world and provide a means for businesses that want their products tested simultaneously by dozens, sometimes hundreds, of researchers rather than just one pen-testing company or individual.
As someone who has been there since the beginning, it is reasonable to consider what has changed during that time. Has publicly supported security dislodged pen-testing organizations? What impact have they had on the security industry? Are bug bounty hunts still enjoyable for individual researchers?
One of the lofty goals of crowdsourced security was to provide businesses with an alternative to traditional pen-testing services and businesses that typically offer a “pay per day” business model in which they hire a pen tester to test an asset and discover vulnerabilities within a predetermined time frame. There are many weaknesses to the conventional pen-testing approach, and publicly supported security goes an acceptable approach to settling these.
However, the fact that these businesses are still unable to compete at the same price point as traditional penetration testing companies is one of the drawbacks of crowdsourced security. Even though a crowdsourced pen test typically uncovers more difficult-to-find and more critical vulnerabilities, a pen test still represents a better value from a cost standpoint for a middle-sized business. When pen testing companies still charge about USD 1000 per day and take 5-7 days to test a website, a medium-sized business can’t make a profit by using crowdsourcing because it will cost at least twice as much (some crowdsourcing platforms also charge per vulnerability found, which raises costs even more).
The publicly supported stages are business substances centered on winning business and depend mostly on a ‘gig economy’ that doesn’t pay scientists for their time but for the number and criticality of weaknesses found. This is very different from traditional gig economy businesses because there are so many restrictions. The most important one is that if you find a weakness, you have to jump through so many hoops to get paid that most of the time, you won’t get paid at all.
Fortunately, publicly supported stages have gradually become more specialist driven as they comprehend and value that ‘the group’ is not an unlimited asset. There are so many publicly supported stages today seeking a limited asset that it’s a good idea to treat them appropriately instead of purposing them as a nonessential assets. For instance, Bugcrowd has as of late begun utilizing ‘Programmer Achievement Directors,’ much similar to a client achievement supervisor yet centered on the actual specialists: keeping them interested, fixing any problems they might be having on the platform, and assisting them with questions about problems that are getting worse.
Another “private” crowdsourcing platform, Synack, is finally getting rid of its infamous “24-hour rule,” which meant that the best write-up of a vulnerability was rewarded rather than the first researcher to find it. This caused some absurdly verbose weakness entries that began with ‘stage 1, open your program.’ Finally, researchers can now receive compensation in several currencies. HackerOne, for example, pays out in Indian rupees rather than the common US dollar because a lot of their researchers are based in India.
Sadly, the fundamental business model is still broken. You could spend eight hours on a bug bounty, discover legitimate vulnerabilities, and still not receive anything, which would be a waste of time.
Re-testing weaknesses at certain stages to check whether they are fixed is likewise done for free.
Bug bounties have been a boon to security researchers, who can now safely look for vulnerabilities on the majority of the internet’s real estate without running into legal trouble. As long as they aren’t focused on denial of service, researchers trying out new attack methods can safely test them on live production sites of many well-known products and businesses in real-time thanks to this. Additionally, bug bounty platforms provide a straightforward and stress-free method for logging and submitting vulnerabilities to businesses without having to look for some obscure security reference on their website. Additionally, these platforms give users direct access to the developers while they are working to resolve the issue.