Bug bounties: Crowdsourcing hackers to strengthen cybersecurity
Bug bounties? Sounds like hiring bounty hunters to catch pests. And that’s exactly what it is.
The concept, which some hospital security teams are starting to think about, is a new way to crowdsource hackers and other infosec experts to pinpoint vulnerabilities in IT systems by actually inviting hackers to attack them -- and then rewarding those who responsibly disclose found vulnerabilities with monetary prizes and, in some instances, recognition.
If that sounds crazy, then consider that the Pentagon has already conducted one successful bug bounty program and is gearing up to host another.
The Defense Department, in fact, awarded a contract to HackerOne and Synack to create a new contract vehicle for DoD components and the services to launch their own bug bounty challenges. Call it a “Hack the Pentagon” pilot program with the ultimate objective to normalize the crowdsourced approach to digital defenses.
The DoD hosted its first bug bounty in the federal government in 2016 and is gearing up to launch a second, two-pronged effort in partnership with HackerOne and Synack.
“These contract vehicles will create an easier and faster path for components and services to set up their own challenges,” said Lisa Wiswell, bureaucracy hacker with the defense digital service team. “Considering the tremendous cost-benefit of crowdsourcing talent, it’s proven that you’ll get more bang for your buck than with some of the other traditional security tools we’ve used in the past.”
That said, it’s worth advising that most hospitals and health systems should not try to undertake the highly-complex exercise on their own; even the DoD enlisted partners.
The aforementioned Synack and HackerOne are two firms specializing in this emerging practice, as is Luta Security. Luta CEO Katie Moussouris helped establish a bug bounty program at Microsoft, and was instrumental in helping to formulate the Hack the Pentagon program.
HackerOne and Synack are a little different. HackerOne helps organizations network with independent security researchers and facilitate the payment of bounties. HackerOne operates a bit like a white pages directory that allows security researchers to identify the appropriate contacts at an organization for reporting bounties.
Synack engages independent security researchers on a subcontract basis and then facilitates an organized process for those researchers to assess an organization’s systems.
Before initiating a bug bounty program, it is crucial to put in place a robust vulnerability remediation program to address security flaws as they arise because it may take many weeks or months to correct the issue. The upside is that this problem and the processes to address it are similar to what many healthcare organizations are already doing with penetration testing.
Establishing a vulnerability remediation program requires not only the policies and processes for handling vulnerability reports but also adequate staffing to ensure they can be effectively carried out.
Experts described a bug bounty program as “penetration testing on steroids,” and said pen testing results are point-in-time assessments that are only as good as the skills of the testers assigned to the project, meaning they can miss important findings.
The upside of a bug bounty program, however, is that it moves the practice from that annual test to an ongoing ongoing activity throughout the year and the crowdsourcing nature of this technique can engage a wider set of skill sets for identifying vulnerabilities on your systems.