Ethical hackers have always had a dilemma: When they discover exploits, how should they report? While it might seem obvious to non-experts that when you find an Acme Widget vulnerability, you should call Acme and explain what you found. But this ignores many relevant factors. First, the compensation for such reporting has always been uneven at best. Companies pay penetration testing teams hundreds of thousands of dollars; so why should an independent hunter get nothing? Second, there is the fame factor. If you discover a real whopper in some important system or service, then some Big Magazine is likely to give you some serious street cred. This can be worth big bucks in the consulting racket.
Amazingly, a reasonable solution has gradually emerged. We’ve all watched as a new bounty hunting-type discipline emerged in our community – one that harnesses the creative instincts of ethical hackers, while also imposing a safe, legal structure on how they are compensated for such edgy work. Combining the best elements of crowd-sourced decision making with some of the earlier (and admittedly clumsy) bug bounty programs, new services have emerged that leverage a broad base of security researchers who are incentivized to discover vulnerabilities in your systems. I spent some time recently chatting with Jay Kaplan, CEO of Synack, to learn more about how this creative concept might help enterprise security teams. Here is what I learned:
EA: Jay, is it accurate to describe your offering as a bug bounty program?
JK: We prefer to describe our solution as a “crowd security intelligence solution.” Our model shares the crowd-sourced, incentive-driven, and adversarial components of most bug bounty programs; but with the complexities of modern cyber attacks and the difficulties in identifying and managing the vulnerabilities in today’s enterprise infrastructure, we’ve designed our approach to be more holistic than the typical bug bounty program. We’ve tried to develop a full-service model centered on the concept of trust anEd Amoroso discusses with Jay Kaplan of Synack the use of trusted ethical hackers to reduce security risk and management chaosd ease of use.
EA: When you say trust, are you implying trust across a community? And do you mean a public or private community?
JK: Unlike typical public bug bounty programs, Synack cultivates a diverse and private community of highly curated security researchers. We refer to this group of experts as the Synack Red Team or SRT, all of whom have been carefully vetted for both skill and trust, and their activity is continuously captured and monitored through our LaunchPoint platform, a characteristic that most existing bug bounty programs lack. This combination of vetted security researchers, combined with an auditable activity record, provides full transparency and sufficient technical controls for even the most conservative organizations to take advantage of crowd-sourced application and asset testing for sensitive applications and internal environments.
EA: For your customers, are you scanning target environments, perhaps at Internet visible entry points?
JK: In addition to the focus from our SRT, our engagements benefit from a proprietary technology we call Hydra that continuously probes and scans the assets and applications in scope. This approach enables our researcher community to more efficiently scale their testing and vulnerability discovery activities. It is also better suited than traditional bug bounty programs to meet the needs of clients who manage vast and rapidly evolving assets. When executed by large corporations who have no problem attracting and affording top security professionals, and who can allocate the appropriate resources to efficiently manage, triage, and support bug bounty programs – they can surely be effective. However, without the necessary resources, the excessive noise and lack of accountability and trust of bug bounty programs can become problematic and overwhelm internal security teams.
EA: What happens if one of your vetted researchers identifies and reports vulnerability that is already known? Does the researcher get compensated?
JK: No. A vulnerability that’s already known by the client organization is called a duplicate submission. Synack, and most incentive-based programs, typically reward the first participant to report a discovered vulnerability. This motivates researchers to report discovered bugs in a timely fashion, before someone else reaps the reward. A well-run program will try to carefully highlight which vulnerabilities are known ahead of time, to respect the researcher’s time. In rare instances, duplicate submissions may be rewarded when taking into consideration various factors such as the severity of the vulnerability discovered and quality of the report submission and accompanying details.
EA: Have there been business obstacles for enterprises to begin adopting your crowd security intelligence solution?
JK: Adoption has been strong. Initially, some CISOs struggle with the concept of having hackers attack their assets, but they typically get over these objections, once they understand the process and its controls. We explain the reviews, screening, and testing that are in place for all Synack Red Team procedures, and we elaborate on the assurance and accountability achieved by having all SRT activities tracked through Synack’s proprietary LaunchPoint technology. Additionally, we make certain that our customers understand the absolute confidentiality that is provided regarding their identity and any discovered vulnerabilities. Such controls ease business concerns and remove obstacles for security teams to begin working with us.
EA: Have you seen a change in the quantity and quality of reported vulnerabilities since bug bounties have been in place?
JK: As our client base and researcher community have grown over the past few years, the volume of vulnerability submissions has followed suit, but our commitment to quality has always remained our top priority. We pay close attention, as our customers do, to the signal-to-noise ratios (SNR) in our reporting. Our internal Synack Mission Ops team provides comprehensive vulnerability triaging, validation, prioritization, and reporting. This has resulted in an SNR of over 95% across all engagements. This means that our customers prioritize over 95% of the SRT-submitted vulnerability reports they receive from Mission Ops as “must-fix” vulnerabilities, with less than 5% of reports they receive being categorized as duplicate, out-of-scope, or “won’t fix”. We emphasize valid and actionable results over pure volume returns to avoid focus on non-exploitable vulnerabilities and duplicates that can overwhelm a security team, wasting their valuable time and resources.
EA: What are the prospects of bug bounty services for SMB? Do you think subscriptions can reach that size company?
JK: It’s inevitable that crowd-sourced security testing programs will reach the small business market. We’ve already seen it with some of the small, but quickly growing tech companies that have adopted Synack as part of their security lifestyle. Nowadays virtually every company, independent of size, is a data company and has layers of technology built into their business functionality and day-to-day operations. So, it is naïve to think that only large companies with sophisticated security programs can embrace our solution. Companies of all sizes can benefit from fully-managed, cloud-based solutions that harness the skills and expertise of hundreds of the best security researchers from across the globe Additionally, as we continue to evolve Hydra, our proprietary automated scanning technology, we will make continuous Crowd Security Intelligence testing available in a cost-effective way for mid-market and SMB customers.
EA: What’s been the weirdest vulnerability that you’ve seen found?
JK: Per confidentiality agreements with all Synack clients, we don’t publicly disclose specific vulnerabilities discovered across our diverse customer base. With that said, recently a Synack Red Team (SRT) member reported an extremely severe vulnerability in a critical enterprise system that required users to enter their account number and PIN to authenticate access. If you provided the wrong PIN, it would block access, but if you inputted no PIN whatsoever and pressed submit, it would grant access to any account number.