Dec. 8, 2023
Chris Holt, Bug Bounty Intel
Before the explosive growth of AI, cybersecurity was the tech area transforming the most and at a breakneck pace. The popularity of AI has done anything but replace security as a priority. Instead, AI is propelling security forward even faster.
In 1995, the same year the movie Hackers was released, one of the first Bug Bounty programs was launched by Netscape. Hundreds of companies have since launched Bug Bounty programs and thousands of security vulnerabilities have been discovered. According to NIST’s National Vulnerability Database, in 2001, fewer than 2,000 vulnerabilities were documented; two decades later, that number grew to 20,000 in 2021 alone.
The Exploit Database reports that exploits have been decreasing since their peak in 2010. However, the number doesn’t convey the severity of exploits, including the cost and fallout. Nor does it capture the true number, since this database is dependent on user submissions and many exploits go unreported.
This is why it’s so critical that technology companies powering our industries take security seriously and invest in robust and comprehensive security assurance practices.
The more vulnerabilities we find before a product goes to market, the more secure we can make it. I’ve spent half my career leading Bug Bounty programs, finding new ways to harness the talent and skill in the hacker marketplace. Through this work, I see five trends taking hold in 2024 that will directly impact how companies and hackers relate:
1.) Pressure will increase from a new generation of hackers ready to see change.
Gen Zers, born between 1995 and 2010, have experienced immense challenges: from racial inequality and a pandemic to global warming and political division. It’s no wonder they seem ready to make changes and are willing to make waves in doing so. As they enter the security research community, their propensity for driving change will influence how companies collaborate with the hacker community and respond to security incidents.
In my view, the tension point will be disclosure. For the security researcher who wants urgent remediation and disclosure, an expedited timeline will be the priority. On other hand, companies managing triage and mitigation will likely still face engineering challenges and the need to coordinate with software suppliers up and down the technology stack to deploy comprehensive mitigations.
Companies need to manage the stresses on their Bug Bounty, Incident Response, and engineering teams to reduce the likelihood of burn out. Respectful collaboration between the hacker and company will be imperative, prioritizing communication between the two in order to achieve their shared goals of better protecting the people using the technology.
2.) AI will drive new legislation and government mandates for hackers to test new tech products.
In July, the White House began eliciting agreements from major tech companies to facilitate third-party discovery and reporting of vulnerabilities in their AI systems (that means including AI systems in their Bug Bounty program scope).
Consider that just last year, the U.S. Department of Justice said it will no longer prosecute ethical hackers under the Computer Fraud and Abuse Act (CFAA). The calls for Safe Harbor clauses in our bounty program policies to protect ethical hackers from legal repercussions if they met set criteria began as far back as 2018. By the end of 2022, European governments started implementing Good Faith Security Research concepts in their vulnerability disclosure policies. The industry went from “you should have a Bug Bounty program” to “you should collaborate with ethical hackers, without a looming threat of litigation” to “you should ask ethical hackers to review AI technology” in just a few years. Legislation around AI will continue transforming how companies work with security researchers and ethical hackers. If a company works on AI technology, they will likely need to have a Bug Bounty program. And if they’re doing it for AI, they should probably do it for all their products.
3.) Having a program will no longer suffice; we’ll see standards emerge that will create more consistency and enforce best practices.
Between government legislation to improve cybersecurity worldwide and the demand for security in AI, it seems we are moving closer to Bug Bounty standards. Although there are several standards on vulnerability disclosure, today, there is no universal, or even industry, standard for Bug Bounty programs. Each company defines their program, leading to very different results, management, and implementation. This creates complexity in how ethical hackers and security researchers engage with companies to support secure product development.
As the maturity of Bug Bounty grows, we’re seeing a growing need for consistency. Based on how we’re seeing this space develop, soon it will not be enough just to say you have a program. You’ll need to deliver in a way that meets industry standards.
4.) Demand for hackers will increase their numbers and encourage skill building, including hacking the hardware.
Government legislation and industry standardization will drive demand across technology providers—regardless of industry—for ethical hackers and security researchers. Aside from these positive pressures, companies are weary of growing risk from malicious hacks. Turning to ethical hacking puts companies in a proactive position to find potential vulnerabilities before they can be exploited and mitigate them. Meanwhile, the ethical hacker’s career lifecycle hits a point of divergence: invest in themselves and grow their skillset (most often in just one specialized area) or monetize their skills by building a tool or service company and step away from hacking.
With demand growing, we hope to see more hackers and security researchers invest in new skillsets (and more companies invest in training and collaborating with them). At Intel, we’re throwing down more challenges for hacking the hardware, creating opportunities for the hacker community to collaborate with our engineers and each other, and always looking for ways to reach new audiences or find or create new hackers. Not only have we seen the benefits in quality of bugs found, but we’re encouraged to hear about the personal growth security researchers are experiencing through these activities.
5.) Diversity initiatives must expand into the hacker domain if we are ever to meet the demand generated by companies.
We need more ethical hackers and security researchers. Particularly, we need more diverse hackers. The value of diverse backgrounds and perspectives is proven time and time again. After all, that is the point of having outside researchers. For their unique perspective, to look at things like we haven’t and uncover bugs because the use case is different than planned.
The challenge we all face is the nature of the current company/hacker relationship. Companies can be skeptical of having a third party find issues in their products and may low-ball rewards for findings. These negotiations can be confrontational, and hackers must justify their value on a regular basis. This can lead to burn out and a feeling of being undervalued, which is heightened for diverse hackers.
It will take effort from both the companies and community to create a more welcoming space for everyone, which will ultimately benefit everyone.
If you have thoughts on these trends for 2024, I’d love to hear from you. Share your thoughts on LinkedIn and tag me (@Chris Holt) and @IntelSoftware . Connect with us on X via @IntelSecurity. And to find out more about the live hacking events and outreach arm of Intel’s Bug Bounty program, Project Circuit Breaker, go here: www.projectcircuitbreaker.com.
Also, check out our latest live hacking event that brought 80 elite hackers together to try to break our latest SaaS product.
Follow this link to view the Full length video of KoE
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.