Upgrading Your Cybersecurity from Cowboys to Sheriffs

- Security, Business, Anecdotes

Cowboy riding a horse in the sunset

Roaming throughout the countryside, dangerous desperados are awaiting in their hideout for the perfect opportunity to rob their victims in silence. Powerless, the authorities have posted wanted posters on public boards with cash bounties for any information that could lead to their arrest or death, hoping that good citizens will rise and bring justice to the country.

Soon, brave cowboys decided to take on the challenge. Looking for fame and fortune, they explored the arid deserts for any trail leading to their targets, pursuing the tiniest of details until they finally found some of the scoundrels.

Unfortunately, unskilled citizens and charlatans seeing the news also wanted a piece of the pie, and hoping to do so without putting in the effort. They started to unwillingly harass the ignorant officer assigned of processing the reports from the public, which was less than happy about the situation, and soon became frustrated and jaded.

The heroic cowboys, however, were oblivious of the situation. Proud of their accomplishments, they returned to meet the same agent to collect their bounties, and were rather surprised about how their reports were processed. One was disregarded as the information was already known months ago. Another was not applicable since it reported something in the wrong jurisdiction despite contradicting official maps. A third was ignored because the criminals were not notorious enough. A fourth used jargon that the agent misinterpreted. A fifth was never read seriously. A sixth was rejected due to insufficient evidence. And so on, and so forth. While the flabbergasted claimants appealed, they generally just led to more wasted time for everyone.

And yet, the starving souls persevered in their adventures. They started to group together and encouraging each other with tips to be more efficient trackers, and work around the obtuse and seemingly-arbitrary rules of the officer. They would enter friendly competitions with each other to prove their worth, and learn from the best. One day, they would prevail and realize their dreams, they thought.

The unfortunate truth is that only a few were talented and determined enough to rise among the rest and become local celebrities. And even then, most could not rake in enough money to survive. But despite this, they continued forward, motivated by a never-ending desire for catching the bad guys and bringing them to justice, until they either starved to death or were forced to retire. The boldest would keep their dreams alive against all odds, chasing bandits around the countryside during their free time as a hobby of sorts, while looking at the sunset for a better future.

The end... or so everyone thought, until history would repeat itself.

Because this isn't just a bad Western story. This is also what's happening in the cybersecurity industry nowadays. Replace the criminals with software vulnerabilities and the cowboys with freelance security researchers, and the story still holds. In fact, it becomes a story in which I participated myself for a little while as a potential career, until I realized how ruthless and fundamentally broken the current economic model of bug bounties really is.

Bounties on computer bugs?

The basic idea of bug bounties is rather simple: an organization allows people to attempt to hack some of their systems up to a reasonable limit, and in exchange people that privately reports found vulnerabilities receive rewards proportional to the business risk associated with their exploitation, as long as they are the first to report each of the vulnerabilities. Reward amount ranges must also be clearly posted in advance for each applicable weakness type (for example by CWE ID) or vulnerability severity (for example by CVSS base score).

This system has a few advantages. First, it encourages people to report problems that they would not privately disclose otherwise. Second, it serves as a security audit of last defense. Third, it gamifies the work associated with performing security audits, encouraging people in the activity without having to unnecessarily pay them.

In fact, the gamification works so well that some organizations don't even bother giving cash rewards, and instead grant points to participants for notoriety purposes only. And yes, there are people stupid enough to agree in such free labor for profit-making organizations; I've even personally encountered a foolish security researcher that directly encouraged me to do so!

The other side of that system however, is represented in the story from the introduction: there is too much competition in the field, and said competition is not necessarily talented. Script kiddies performing low skill attacks without understanding what they're actually doing is pretty common, unfortunately.

This causes a lot of noise to sort through by people that may not be familiar enough with cybersecurity to do a good job of doing so, and that's if they even care in the first place. For example, whenever I would ask for help from fellow freelance security researchers, the help I would generally receive came from people less talented and knowledgeable than I already was about the topic I was asking about, and sometimes said help would be completely irrelevant and distracting. While I've heard from some of them that they really enjoyed belonging in a community that would help each other, I felt more like being lost in a sea of children scrambling to get their homework done together without any understanding of what they were trying to do.

Plus, organizations may be reluctant to post or award competitive bounties because they think that they may not be able to afford it, or simply due to blind greed. For example, a previous work colleague told me that they had a bug bounty program in place in their organization, but abandoned it because it wasn't considered to be worth the maintenance costs after all. In another example, I had another organization refusing to award me the posted bounty despite a working exploit that stole the social security numbers of customers, and despite them acknowledging that I had correctly complied with their posted bug bounty program guidelines. This is absurd on both sides of the relationship.

While it is possible for an organization to mitigate the competition issue by only allowing noteworthy security researchers to perform hacking attempts in a private program, doing so like this is far from perfect. I can speak for experience on this regard, as I had joined a private program myself, the Synack Red Team, from which I made a whopping total of absolutely nothing in gross revenue. I was personally hoping that my extensive expertise in software development and cybersecurity would give me an edge, but this has proven to be insufficient for success. In fact, every single single security researcher I have interviewed that was part of that private program, including very talented hackers on top of the leaderboards and even one of their official ambassadors, admitted to me that they could not make it a full-time job if they wanted to.

From my analysis, I can only conclude that, in general, only the fastest researchers and/or the hyper-specialized researchers have a chance to make a living out of it... and those are things that should be better handled by manual and automated testing performed internally or by consultants anyway.

Which leads me to my next point.

Cowboys versus sheriffs

While it makes sense to have jobs being compensated proportionally to the value of generated accomplishments, limiting such accomplishments to the gravity of exploits found is not. The reason is that security research is not about finding vulnerabilities, but about assessing the strength of defenses. Having a bunch of people potentially trying to validate the same thing over and over again is simply not productive for anyone.

It's worth nothing that Synack is in a unique position to implement a few measures with its private Red Team program to mitigate this, but without going into details, during my time in that team, these measures were rarely helpful to me, and sometimes caused even more problems than they solved. Despite some good ideas and innovations, they were mostly wasted due to questionable implementation.

Considering this, I believe the problem is using bug bounties as a means to receive community-driven security audits (cowboys), instead of investing in professional security audits (sheriffs). And by professional, I don't mean hiring a consulting firm for yearly audits, but rather having a strong internal strategy to mitigate security risks, and assess defenses constantly throughout development. Besides, if a freelance security researcher would come up with creative solutions to exploit your system, wouldn't you want to hire them to look for more anyway? That sounds much better than a one-time cash reward to me!

An important keyword here though is "creative". It's easy for an organization to say "we take security very seriously", but it won't help without people actually doing so. And again, leaving that responsibility to random freelancers on the Internet is most likely insufficient.

I'm not sure if it's possible to write a universal security strategy, but I believe good ones should at the very least include:

As you can see, bug bounty is nowhere to be found in that list. Security research, just like the rest of quality assurance, should be embedded in all stages of development in my opinion. And if you get really confident in your security, feel free to announce bug bounties with huge payouts to prove it to the world! Until then, if you may be lacking in the required expertise to course-correct, I would recommend reaching out to external partners to help you make the transition, as fellow sheriffs to guide you on the path towards prosperity.

So, how can you improve your security strategy in your organization? 😉

Related content I wrote

Open treasure chest with a question mark in it

The Future of the Video Game Randomizer List

- Video Games, Programming, Anecdotes

It's hard to believe that it's been almost 8 years since I first posted on the ROMhacking.net forums a list of video game randomizers that I found online, and that it would evolve into the massive project it has become today, with almost 900 entries currently being listed. It's always a strange…

Playing with an Xbox controller

My Personal Video Game Completion List

- Anecdotes, Video Games

I thought it would be fun to track the long list of video game that I have beaten and/or completed for reference, so I've done just that! There may be a few mistakes here and there due to secret features unknown to me, or due to misremembering details of my past gaming experiences, but I believe the…

Dice stacked in a triangle shape, with their face numbers matching their row position

I Designed the Perfect Gambling Game, But...

- Mathematics, Business, Game Design

Back in 2006-07-08, during the 13th Canadian Undergraduate Mathematics Conference at McGill University, I presented a gambling game I designed with the novel property of being both advantageous to players and the house, and that despite this proprety, that pretty much nobody in their right mind…

Field of CG-rendered disembodied arms pointing at a dark sky at sunrise

Current Generative AIs Have Critical Quality Issues

- Business, Quality Assurance, Security

The hype for generative AI is real. It is now possible for anybody to dynamically generate various types of media that are good enough to be mistaken as real, at least at first glance, either for free or at a low cost. In addition, the seemingly-creative solutions they come up with, and the…

Stream of concatenated JSON objects

Current Data Serialization Formats May Be a Waste of Money

- Programming, Business

Storing data. Transmitting data. Processing data. These fundamental topics of computer science are often overlooked nowadays thanks to the historical exponential growth of processing power, storage availability and bandwidth capabilities, along with a myriad of existing solutions to tackle them. So…

See all of my articles