As Bruce Shneier was saying many years ago: bug bounties are not security. I couldn’t agree more with that. Additionally, from my short experience, bug bounties are laughably almost a scam for researchers, and we will talk about it in a moment. Yes, they can behave like an “external” security outsourcing but barely, of course they will be never (and they should not be) a substitute of your own professionals and testers.

Anyway, first things first: The “art” of Bug Bounty is basically freelance penetration testing in a way. Anyone on the Internet can go to a company, find a vulnerability and have a streamlined process of reporting it to them. If it’s a unique vulnerability and you are the first one to submit it, then you get a monetary reward (theoretically) at the end. I would like also to say that bug bounties are not as easy as they are sometimes advertised, in fact the field is so dense and heavy you will never learn everything, and as you started getting dipped into it, there will be more things to learn; it’s a gaping never ending void. It will take a lot of time to be good in something significant and make a difference, and you will realize it sooner than later.

I was dedicating these last pandemic months, to look for bug bounties essentially because I was attracted by the hype they are having right now. And honestly speaking also for the money; a lot of folks (including me) were blustered by the apparent high payout baits they offered, "Look Amazon/Apple/MS/Facebook/Google might pay ONE MILLION dollars" but certainly when you decide to devote a huge amount of time to this, you realize it is not just spending hours and hours trying to find a bug and report it. Let’s dive a bit so I can explain why.

We will try to aim for that 1M prize from whatever company you like, so this is what you need to qualify for the payment as advertised in “Network Attack without User Interaction, Zero-click kernel code execution persistence and kernel PAC bypass”. Dissecting the last sentence, you need for your bug:

  • Kernel execution and PAC bypass
  • Zero-click launch
  • Persistence
  • On up-to-date products (latest hardware).

These all mean in average case you might require three full exploits, all chained. One to get entry to the device, the next one to elevate to kernel, and the last one to persist on the device. So, you will need to find extremely high-quality bugs possibly in different areas of the product itself. One in some application, another one in a driver, and maybe another one that triggers in the initial boot. Super very different areas of security research I must say, which very few people understand it at a proficient level.

I must really highlight; these three stages are in quite different areas of Security. So, it’s almost unlikely a bug in one of these, is going to be helpful in building an exploit for another. But also, each stage involves a great amount of research in just finding some sort of light to theoretically reporting a possible bug. From this perspective, I bet $1M prize looks very far since this Bug Bounty involves exploiting (at least) three different targets and bypassing all the security mitigations surrounding them.

Never mind doesn’t matter, we are IT geniuses and we were able to build our heaven exploit, time to go to Las Vegas and gamble our golden money in the Casino… well not so fast. First, $1M is an upper bound of what usually the companies are about to pay. Almost half is dependent on whether or not, they are aware of those bugs, even if they are not patched yet. They just need to be ‘privately aware’ and, in this case, it is a big percentage of your cash. A lot of uncertainty lies here within the money you will receive (or not) and for all the effort it entails, suddenly $1M doesn’t sound like a big amount of money for these struggles.

Surely, this kind of payouts is not for sitting at home for 5 months and reporting a bug you may find while you drink your Saturday morning coffee. They are the result of a team work of world-class security researchers with years of experience/pains and cannot be abstracted under any uncertain prize/time. I think many of these luxury researchers can make a better amount of money under salaried jobs than spending their time in these ethereal things.

I have found Bug Bounty useful to think of external bug reports as a form of whistleblowing. Someone noticed something wrong with your product/infrastructure and is bringing it to your attention in the hope that you'll address it. There exists the possibility that some (individuals and companies) use the discovered issue to elevate their own profile, not directly related to fixing the issue at hand and some who just want to see the world burn. But many vulnerability reporters are acting in good faith and just want to see it reciprocated, in this context as we mentioned Bug Bounty programs are meant to create a streamlined process for accepting and acting on reports and to signal that the vendor is intending to be appreciative and cooperative. Now let’s replace here the word "bug bounty" with "whistleblowing" and it makes sense instantly that bug bounties are not meant to, should not, and cannot replace any kind of security effort. Definitively is not a form of outsourcing. Nobody outsources their internal audit to random unknown people.

In my opinion the value of bug bounties is considerably overestimated, the companies that rely on them are just too cheap to pay for actual pentesting or red teaming activities. The people that work on them are voluntarily undermining the value of what they do.

The economics of bug bounties are totally flawed. Hours of unpaid labor in the hopes of getting paid. The success stories are exceptions and should not be useful as examples for new entrants into the bounty world. As far as I am aware there is no contract with an agreed upon sum for an agreed upon product. The vendor has no legal obligation to pay anything. All bug bounties are a way for vendors to indicate desirable behavior to researchers that they will ‘consider’ rewarding. No promises.

I would like to quote again Schneier as a conclusion for this topic: “Bug bounties are best when transparent and open. The more you try to close them down and place NDA’s on them, the less effective they are, the more they become about marketing rather than security”.