Crowdsourcing security exploits: how the cloud can keep us safe

Opinion Davey Winder Jan 28, 2013

Could we about to see the emergence of penetration testing as a service? An Australian initiative could pave the way

Whenever you see the words 'cloud' or hacker' or 'security' in an article, you can generally expect that it's not going to be positive spin on the concept of cloud.

However, it doesn't have to be that way. I've come across a service from Australia called Bugcrowd that proves the point. Bugcrowd relies on crowdsourced bounty hackers who help secure software and services against criminal exploitation.

The idea of hunting bugs for money is certainly nothing new, and many of the major software and online service players have schemes that reward such endeavours.

Google, for example, has a zero-day discovery 'Elite' programme which, rather aptly, pays a maximum of $3133.7 ('elite' in hacker speak).

It's quite possible to earn more, much more in fact: the 'winners' of the last Pwnium security challenge got a none too shabby $60,000 reach for zero-day exploits that could impact the Chrome browser. It all makes sense: the pay-off is far less than cost to a vendor whose product falls foul to a zero-day exploit.

We live in hard times, economically speaking, and the temptation from the 'dark side' is a far from fictional reality. A well structured dark market for zero day exploits, product vulnerabilities and weaknesses, exists and is positively thriving.

With data theft being a competitive criminal business these days, the bad guys are always on the look out for exploits which allow them to be ahead of the curve. Zero days are a very valuable resource, enabling a criminal enterprise to successfully breach a target before the software (or service) vendor even knows a particular vulnerability exists. This criminal window of opportunity might run for a day or two or, in the most profitable of scenarios, a few weeks or months.  Bounty programmes give the good guys less reason to turn bad.

The bad guys are always on the look out for exploits which allow them to be ahead of the curve

The Aussie initiative is a new way of crowdsourcing security exploits. It's quite a simple concept: get IT security researchers, hackers, semi-professional penetration testers and the like to work together to uncover and ethically disclose critical bugs and vulnerabilities to vendors before the bad guys get a chance to find and use them themselves.

It's clever as it leverages the very real power crowdsourcing in a positive way within what is often seen as something of a negative marketplace. But also because it rewards these endeavours not just with money, but also with something that many (white hat) hackers love even more: kudos. The Bugcrowd system uses a points-based kudos feature to reward those hackers who find the bugs with an enhanced reputation within their peer group. With well in excess of 1000 hackers already signed up, this is no small crowd either.

This crowd/cloud approach to bug hunting is being touted by some as the future for penetration testing. After all, you get a whole bunch of well-known security researchers, keynote speakers at hacker/security conferences, all working together to make your business more secure. But I'm not convinced that the concept can transfer away from the relatively straightforward bounty hunting market to a more specific security consultancy one. Certainly I wouldn't advise any client of mine to open up their systems to a thousand or more hackers that they have no real knowledge of or contact with. 

Which is where that kudos system comes in to play again, as clients are able to limit the hackers within the crowd to just those with the best reputation in the community if they wish.

For those companies willing to take the risk, however, there may be some potential reward. Not least that payment is driven by success, and rather than paying high consultancy fees regardless of outcome, the client puts up a 'bounty' which is only paid out as and when vulnerabilities are discovered. Which means that if none are found then the money is returned, and if only a few are found then some of the money is returned relative to the numbers involved. Bugcrowd reckons that every bounty it has raised has, to date at least, led to the discovery of at least one zero-day.

Whatever your immediate thoughts of such a service, I am convinced that this will be far from the last of these kind of crowdsourced businesses that we see in the IT security sector. Indeed, I would be amazed if some kind of 'penetration testing as a service' trend doesn't start to get busy in the cloud within the next year or two as the idea gains ground with smaller enterprises (outside of regulated markets) looking for lower cost security audits.

Davey Winder

daveywinder (2).jpg

Davey Winder has been covering the IT security beat for the last 20 years. Along the way he has won the 'Information Security Journalist of the Year' title no less than three times, and in 2011 was bestowed with the Enigma award for his lifelong contribution to information security journalism.