Cash isn't everything when bug bounties compete with the black market

As companies fight over skilled eyeballs, money may not actually be the key to securing vulnerability reports.
Written by Charlie Osborne, Contributing Writer

SINT MAARTEN -- Bug bounties, where security experts are credited and paid for disclosing vulnerabilities in software and systems to vendors, can be lucrative.

There is a common mentality that not only does every bug have a set price, but the black market has sway and influence on how much vendors are willing to pay. But, according to HackerOne chief technology officer Alex Rice, this couldn't be further from the truth.

Speaking to ZDNet, Rice said that illegal trading in bugs and exploits doesn't dictate the price vulnerabilities demand in the white hat market. Vendors are offering less cash than what the bugs would get on the black market, and yet they are still "winning" the battle to secure the reports.

Why? Because there needs to be a balance between cash rewards, keeping bug bounty hunters happy, and making these schemes worthwhile for companies.

However, Rice says that the average price of a bounty is determined by a number of other factors.

"We see with most customers that the price of a bug is not related to the severity of it," Rice said. "[Instead], business impact is one of the most important measurements which goes into pricing -- but it's not the only one."

You would be forgiven for thinking that the more severe and potentially dangerous the vulnerability, the more money would be on the table as an incentive for researchers to find and disclose it.

However, the issue is more complicated than it seems.

"When a business prices vulnerabilities, they spend a lot more time considering the scarcity of the bug and how many they think they have, which is the hardest thing to try and work out [as] you can't know," Rice said.

The potential impact a bug would have on a business and revenue is important, but once a company has estimated the number of bugs they have in what Rice calls an "art or science," as an informed guess, a "natural curve" in pricing occurs.

"It's not that you look at your peers and go, hey, everyone is paying $20,000 for a [remote code execution bug, or RCE], I'm going to pay $20,000 for an RCE," the executive said. "You have to ask: how long have they been doing that, what was their growth curve to get to there, and how many do they have in between that period of time?"

In Kaspersky's case, when the security firm first launched a beta bug bounty program, the price for an RCE was set at $2,000.

However, six months in and with enough data to guess at how many bugs of this severity may be out there, the price was bumped up to $5,000.

The next stage is deciding when to raise the price of a particular kind of vulnerability report. Companies don't necessary want to start up high and be pummeled with report after report -- not only because submissions take some time to go through, but also because they must have the resources available to resolve vulnerabilities.

As noted by Rice, Microsoft, as an example, issues higher bug bounty payouts during beta stages as "this is the time when their engineers are ready to start fixing them."

"The natural curve where the price for these vulnerabilities changes most dramatically not based on what you can do with it, but the scarcity of it and the team's current backlog," Rice says. "Defenders very rarely base their pricing on the black market."

Once these prices have been established, the financial lure offered by both legitimate exploit purchasers such as Zimperium and illegal traders in the internet's underbelly is often far beyond the average reward offered directly by vendors.

According to Rice, however, they are still able to compete with the black market without offering anywhere near the same prices.

Apple, for example, only launched a bug bounty program last year, offering up to $200,000 for serious vulnerabilities. Before this, the company's Hall of Fame was enough to receive a constant stream of bug reports without paying a single cent for them.

See also: A look at the top HackerOne bug bounties of 2016 | Wassenaar Arrangement: When small words have the power to shatter security | 2017's biggest hacks, leaks, and data breaches

Why? Not only do researchers use the same devices in which they may discover bugs and so would like to see them fixed, but there is an "intrinsic motivation" in seeing their work do some good -- and receiving the credit for it.

"You have to be comfortable with a huge amount of moral ambiguity and no real feedback in how you're doing or whether it makes a difference [to sell bugs on the black market]," Rice says. "It turns out that is really important to most folks."

10 things you didn't know about the Dark Web

Editorial standards