In the wake of Microsoft’s announcement of a $250,000 reward for new hardware vulnerabilities, there’s growing concern that inflated bounties might be creating perverse incentives for young cybersecurity researchers and distorting the market for white-hat bug hunters.
“If you can make considerably more money hunting bugs, there will be nobody left to fix them,” tweeted Katie Moussouris, a security researcher who created the first Microsoft program that rewarded those who reported vulnerabilities.
“Those who do the hard work of code maintenance in corporations, dealing w [office] politics for a salary that’s ~1 bounty are 1 bad meeting away from rage quitting to hunt bugs full time,” the tweet concluded.
“Motivations vary among hackers … but most are driven by some combination of three factors,” she told CyberScoop: Financial compensation, peer recognition and “the pursuit of intellectual happiness — loving what you do.”
Moussouris would know. In addition to her practical work on the issue, she has spent years analyzing data about bounty programs and other features of the market in software vulnerability. This year, MIT published an analysis by Moussouris and others of the trade in software flaws, which revealed the defensive bug bounty market is highly stratified, with a small number of extremely skilled individuals bringing home the lion’s share of rewards.
In the datasets they analyzed, the authors found “a small number of key sellers are finding the overwhelming majority of all bugs.” In one dataset provided by bounty program managers HackerOne, for example, just 5 percent of hunters found 23 percent of flaws — and there were similar numbers in datasets from bounty programs run by Facebook and others.
So why would anyone skilled in finding vulnerabilities take a job rather than hunting for bounties where they could earn much more?
The risk premium
In the U.S., it’s possible that “a particularly gifted finder of high quality bugs could submit multiple $100,000 bugs in a given calendar year and make a $500K to $1M ‘salary’ based on bounties,” security architect Alex Ionescu told CyberScoop. But he added that the risks and costs involved were considerable.
Vendors rarely pay the maximum headline amount, he said, “and bounties that are worth such awards take months, if not years to find and exploit” — creating the risk that another hunter, or the software manufacturer itself, might beat the researcher to the punch, leaving them with nothing.
The benefits that full-time employment provided in the U.S. — health insurance, 401K and so on — also had to be factored in.
In the U.S., he said in an email interview, part of the choice “comes down to the preference of the person — do they want to socialize, work in an office, learn to work as part of a company, and use their skills to write code (some people are terrible at this), or work as an independent researcher (with the opposite lifestyle).”
Ionescu said that given the risk involved and the salaries they could command, bounties would have to rise to the $500,000 to $1 million level before high-skilled programmers in the U.S. “likely would reconsider employment.”
What about the black-hat market?
But bug hunters can already earn that level of reward on the so-called back-hat market — selling their bugs to intelligence agencies or criminal organizations for offensive use.
The offensive marketplace has always been much more financially lucrative than the defensive or white-hat one, said Justin Brookman, privacy and technology policy director for the Consumers Union. But black-hat sellers don’t get any public credit for their work; and some researchers are uncomfortable doing business in what is often a legally gray area.
The real perverse incentives in the white-hat marketplace right now, argued Ionescu, come from smaller bounties — and their impact is being felt in lower-wage countries like India and China, where the economics of bug-hunting are very different.
Another issue is the impact bug bounties have on other educational and employment opportunities. The concern is that bounty programs, overwhelmingly paid by companies based in high-waged economies, damage that pipeline in lower waged economies — where a single $5,000 or $10,000 bounty might be the equivalent of a year’s salary for a developer.
“The pipeline for [code developers] is affected in lower-wage economy countries, but not by higher bounties, but rather by lots of smaller-paying bounties,” said Ionescu.
In the end, said Brookman, technology companies needed to invest not just in finding flaws in their existing products through bounty programs, but in designing their new products without flaws. Currently, he said, they were “not investing the resources on the front end to produce code that’s secure in the first place.”