Bug Bounty Programs – a Public Good that is a Necessity for Corporates, SMEs, and Individuals Alike
As the cyber threat landscape continues to evolve and threat actors increasingly target vulnerable external-facing assets, bug bounties present organizations with an opportunity to proactively identify and remediate vulnerabilities before they can be exploited by attackers.
In today’s digital age, cyber threats have become increasingly prevalent, and enterprises are struggling to keep up with the pace of these threats. This is evident in the number of disclosed vulnerabilities and identified zero-days. For example, the number of vulnerabilities increased from 20,171 in 2021 to 25,227 in 2022, which represented a growth rate of 25 percent ; meanwhile, there were 80 zero-days exploited in the wild in 2021, which is more than double the previous record volume in 2019.  These statistics indicate that the traditional methods of cybersecurity are no longer sufficient to protect businesses from evolving cyber-attacks.
As a result, bug bounty programs have become increasingly popular as a way for organizations to identify and remediate vulnerabilities in their systems. These programs offer organizations the opportunity to leverage the skills of the global cybersecurity community to identify vulnerabilities in their systems and applications. PwC’s Dark Lab explores the benefits of bug bounty programs, along with the potential roadblocks that hinders its wide-scale implementation, and proposes potential solutions that reduces the barriers to entry such that enterprises can leverage it is a viable business risk management strategy to tackle the dynamic cyber risk landscape.
Bug Bounty Programs – An Overview
A bug bounty programme allows organizations to define and scope a program where security researchers are allowed to try to identify security vulnerabilities – often within a subset of the organisation’s technical infrastructure – in exchange for financial or non-financial ‘bounties’ for successfully validated vulnerabilities. Bug bounty programs were introduced by NetScape in 1995, though have evolved significantly since then.  Today, there are multiple bug bounty platforms and services available that provide organizations with a streamlined way to engage with the cybersecurity community, including HackerOne, BugCrowd, and YesWeHack. One notable example of a successful bug bounty program is the Microsoft Bug Bounty Program, in which US$13.7 million to more than 330 security researchers across 46 countries in 2021. 
Governments have also recognized the importance of bug bounty programs in strengthening their nation’s cybersecurity posture. For example, review of 2018 Cybersecurity Act Paragraph 5 suggests that service providers providing traditional cybersecurity assessment services (e.g., vulnerability scan or penetration test) must first obtain a license , whereas companies providing bug bounty platforms and/or services are exempted , implies that the Ministry of Communications and Information (MCI) and the Cyber Security Agency of Singapore (CSA) regards bug bounty programs in higher esteem – more of a public good as it underscores a greater value brought to society.
Issues Faced by Bug Bounty Programs
Despite the growth of bug bounty programs, there are still market barriers that prevent the public good from being consumed. One major issue is the pricing of the vulnerability, given vendors determine the value of a bug. The lack of a “free market” in which security researchers are not properly incentivized leads to a “tragedy of the commons” situation, in which they seek for a greater economic reward of their proof-of-concepts in alternate markets, such as the dark web or to established threat actors. The pricing misalignment is compounded by the lack of legal protection and standardized guidance for security researchers to identify and disclose vulnerabilities, which further makes it less likely for them to obtain a payout due to the plethora of grey areas which may inadvertently lead to potential punishment.  This is also not helped by poor communication in certain cases, where there is a lack of criteria or requirements on the compensating schemes, restrictions and limitations, and handling of duplicated reports. 
Meanwhile, not all hackers are not motivated by money. For example, espionage threat actors are looking for information, and hence no amount of financial incentive would lead to them disclosing and/or monetizing their zero days.  And in general, most researchers are motivated by more than one or a combination of factors and motivations, such as prestige or to advance their career, for the challenge or to have fun, or for other ethical or ideological reasons, so it is not feasible to focus solely on financial incentives.  Meanwhile, bug bounty programs were also meant to address the lack of a large number of skilled and qualified security researchers who know how to “hack to earn” by crowdsourcing vulnerability identification; this continues to be an issue despite bug bounty programs being in place for over 25 years. 
How to Address those Issues?
There are several ways to fix the potential problems surrounding bug bounty programs. One solution is to have an independent platform that connects security researchers with organizations, similar to Uber. This platform would allow for rewards to be based on an amount that can be auctioned at the right price, with the oversight of the technology owner. This platform should connect the right level of talent with the right buyer, such that they can align on their incentives.
Another solution is to enhance legal frameworks, similar to what Singapore has done, to recognize the importance of bug bounty programs and to have certified or accredited personnel to perform this task. The legal framework should mandate companies to implement and operationalize a vulnerability disclosure policy (VDP) to provide straightforward guidelines for the cybersecurity research community and members of the general public on conducting good faith vulnerability discovery activities directed at public facing and/or internal applications and services. This VDP also instructs researchers on how to submit discovered vulnerabilities, impacted security vendor(s) (if applicable), and other relevant parties (where applicable) ethically and in a safe manner, with clear guidelines on how to disclose such vulnerabilities.
Finally, there needs to be an investment in talent development to ensure that there is a sufficient number of skilled and qualified security researchers who know how to “hack to earn” by finding vulnerabilities in the first place. Ideally, the legal framework should also mandate the need for security researchers to attain certifications and accreditations with practical elements. That would have a positive downstream impact on investment in cybersecurity education and training, thereby establishing a healthy pipeline of skilled cybersecurity professionals who can join bug bounty programs.
Despite the challenges, bug bounty programs offer significant benefits to organizations looking to strengthen their cybersecurity posture. By reducing the barriers to entry, bug bounty programs can be used as an effective business risk management strategy. In addition, the success of bug bounty programs may lead to the potential rise and fall of other connected markets. This includes the potential drop-off of cyber insurance as security researchers would look to profit in legal markets rather than parallel markets like the dark web, or the reduction in traditional vulnerability assessment and penetration testing services as bug bounty programs are continuously run. Meanwhile, new service offerings such as talent development may arise to ensure there is a greater demand of security researchers to meet the increased desire to identify and “supply” vulnerabilities. We expect the adoption of bug bounties in Hong Kong and globally to pick up in the next five years, as it is a cost-effective way to improve cybersecurity through crowdsourcing to qualified security researchers with diverse backgrounds and varying degrees of experience.
Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.