Not all vulnerability hunters play by the rules. There are some who are more concerned about scoring a big payday than ensuring a bug is responsibly disclosed and fixed before malicious actors can take advantage. But there are tactics that tech developers and manufacturers can employ to help steer negotiations in their favor.
In a ransomware panel session at last week’s Incident Response Forum Masterclass, experts weighed in on what to do when unscrupulous, independent gray hat researchers contact a company after identifying a vulnerability and demand a large bug bounty, threatening to otherwise publish their findings or sell it. SC Media then followed up by reaching out to additional bug bounty experts to get their own take on how to respond to such a situation.
The initial discussion was prompted by comments from Kari Rollins, partner at legal firm Sheppard Mullin, who noted “seeing a rise in bug bounty demands, not through your traditional structured bug bounty programs.”
“There is a lot of nuanced negotiation that goes into how you respond to and investigate those types of claims,” said Rollins. Not only must you evaluate the pros and cons of paying the individual, but you must also “evaluate the risk of the disclosure,” while determining if the vulnerability is severe enough that it legally would require public notification anyway.
Aravind Swaminathan, partner at Orrick, shared his strategy for these kind of circumstances, noting that his law firm has had “really good success” in “taking these gray hat researchers and forcing them into the bug bounty program and creating a "'prisoner's dilemma’ for them, in terms of whether they participate or not.”
Here’s the trick: If you have an existing bug bounty program, you invite the researcher to participate. “What you don't tell them is that they're the only ones that are participating, and they have to follow the rules of vulnerability disclosure that coordinate with the program – and then they are also typically bound by the rules of the program,” explained Swaminathan. “The prisoner's dilemma that it creates is that they have to disclose to you. Otherwise, there may be other people that they don't know about waiting in the wings also trying to disclose" the same flaw.
Knowing that a competing party might be on the verge of disclosing the same bug, the gray hat researcher is “forced to disclose much faster… It takes a little bit of finesse and a little bit of nuance, but that's been a pretty successful way, where the gray hat is holding the vulnerability essentially hostage until you do something for them,” Swaminathan said.
Casey Ellis, founder, chairman and CTO of Bugcrowd, said his company applies the same strategy. “We help defuse these situations all the time. In instances where there have been threats or extortion, one of the strategies Bugcrowd has used to help its customers is to create a private program to invite the threatening individual in order to make them think that they are competing against other hunters looking for the same vulnerabilities. This creates a prisoner’s dilemma dynamic and shifts the power from being 100 percent in the hands of the individual back to the middle. We often see this strategy be very effective.”
Before it even gets to that point, however, some of the best measures you can take are proactive in nature, noted Ellis. This means ensuring your bug disclosure policy is clearly published and plainly stated on your website for all to see.
HackerOne Co-Founder Michiel Prins similarly recommended instituting a well-publicized bug bounty policy as a preventative measure against rogue bounty requests, a.k.a “beg bounty.”
“Because no system is entirely free of security issues, it's important to provide an obvious way for external parties to report vulnerabilities,” Prins noted. "To this point, every organization should have a vulnerability disclosure policy. VDPs are intended to give hackers clear guidelines for submitting potentially unknown and harmful security vulnerabilities to your organization and clarifies what you will accept, what your process is for reviewing vulnerabilities reported, and what is considered out of scope. For many companies, this includes paying bounties. Policies like this also ensure that any message comes through an official channel, rather than your CEO’s LinkedIn inbox.”
With that said, if a vulnerability hunter still contacts you and appears to be operating outside those policies, then Ellis says to give the researcher a chance to communicate precisely where he or she is coming from.
“Don't panic. Unless it's obvious that you shouldn't, apply the benefit of the doubt to the situation,” said Ellis. “There are many varying levels of communication ability, language understanding, and even maturity around knowing what is acceptable and what isn't. Keep in mind that this isn't about the researcher community per se. These sorts of requests can come in from anyone ranging from helpful, but confused hobbyists, right through to professional criminals.”
Furthermore, Ellis advised to try to conduct the conversation without acknowledging the payment request, “treating it like a normal unplanned vulnerability report from the outside.”
Prins also recommended against paying the bounty if that action is not spelled out as an option in your policy, “as it sets this precedent for the future.” He also added, “Contact your legal team if you believe you are being extorted or discovered a strong indicator of criminal intent.”
One situation that can be a bit trickier to navigate, noted Swaminathan, is if the gray hat researcher wants to get hired as a contractor or full-time employee in exchange for disclosing the vulnerability. “Then you get into really complicated situations of confidentiality – what the terms are gonna be, whether you want to hire them, whether that's a payment for the bounty, whether that's a payment to keep their mouth shut. And so that you have to actually go through pretty delicately,” he said.
Last August, U.S. prosecutors indicted former Uber chief security officer Joe Sullivan for allegedly covering up an extortion payment to two hackers by making it look like a bug bounty reward. The hackers involved had previously pleaded guilty in federal court. The Sullivan indictment serves as a lesson to companies to create more precisely defined parameters of what constitutes a legitimate vulnerability disclosure transaction, and to more strictly enforce them.