Bug Bounties are undervalued, mispricing led to hacker stealing $40 million from Binance15th May 2019
Companies of all sizes are recognizing and paying individuals to report software security problems in the company’s products in what are called bug bounty programs. The deal typically is contingent on the individual not actually hacking the company and not disclosing the issue to the public, at least before the company has a chance to patch the problem. This is a marked departure from the concept of treating software engineer’s darker arts as a form of heresy and hackers as an evil to be dealt with by law enforcement. Hackers, or bounty hunters, are now being leveraged to fix the nation’s and global business sector’s security.
Still, this is a delicate dance which lacks best practices, lacks adequate compensation, and lacks predictable behavior from law enforcement when parties don’t behave as planned.
It should be noted that although black-hat hackers are comfortable with the term hacker in a way that matches the general understanding of the word, many white-hat hackers subscribe to a much more nuanced and semantical version of the word which can disagree with what is being discussed here. 🤓That version of the word has a historical context which never made it to the broader language, and this distinction is beyond the scope of this article. The person or organization that penetrates another computerized system is a hacker.
Hackers typically operate under a code and can be trusted with a deal and promise not to exploit a system, in exchange for due compensation that the company itself made clear.
Binance is one of the largest cryptocurrency and digital asset exchanges, and it just had $40 million (7,000 bitcoin) stolen from it in a large and meticulous data breach. Predictably, many crypto-skeptics are unable to discern the difference between an incompetent custodian to an issue with blockchain technology and would use this issue to reinforce their beliefs of a problem with blockchain technology, but misappropriating this energy to admonish blockchain-based assets has the side effect of exempting the custodian from criticism. In this case, a custodian failed to protect the most inept users of cryptocurrency who require a custodian to begin with, users so inept that they were also tricked into giving away access to their accounts, all while the custodian itself had neglected to keep their security procedures up to date for the particular payment network that the hackers used to get the stolen money out.
Ironically, the heist was only possible because Binance started a bug bounty program, and implemented that in an insecure way making their site more vulnerable than it was, leaving the bounty hunter with the option of negotiating the max $10,000 payout, or instantly taking $40,000,000 in bitcoin.
Software development and security has been an integral part of business for 30 years, yet many parts of organizations, including management, treat the computational infrastructure with mysticism and a cognitive exemption. For many executives, it is a point of pride that they do not need to understand information technology that is assuming all roles around them. For many, the same excuses for their ignorance that they got use to making 3 decades ago are part of a comfortable comic relief for people like them, despite having literally their whole career to get up to speed. Understanding electronic things is not inherently easier for younger generations, there is no measurable brain plasticity to support ignorance, there is simply social pressure to understand some things for some demographics, where this pressure is notably absent in others.
There is a growing knowledge and skills gap, which software engineers are on the useful side of. The current reality is that there is thin balance and tolerance amongst software engineers and the industries they navigate in. The upwards compensation pressure for software engineers is more than just a factor of supply and demand, it is enough to placate engineers from turning on the entire infrastructure for their own ends.
The process of collecting a bug bounty is where this balance currently falls apart.
The value of a bug bounty is typically determined unilaterally by the company that posted the bounty. As the company is not aware of the actual vulnerability, it has to loosely categorize types vulnerabilities and put price tags on those. When someone discovers and reports the issue, the company has to decide which category it falls under, if any, and then decide if it actually qualifies as a bug. The bounty hunter can often be disappointed to find out that they will not be getting paid at all due to reasons such as the company unilaterally deciding the reported issue was a feature instead of a bug. Perhaps the company unilaterally decides to pay a lower amount than expected. Some companies still do not understand their own bug bounty programs, and the code that hackers operate under, and may pursue legal action. The bounty hunter may have put in any number of hours into finding and documenting the bug, only to be paid nothing, or perhaps $100, or perhaps $10,000. Even the current upper bound of payouts are lower than they are worth.
Bounty hunters pursue this role for a variety of reasons such as the recognition, compensation, the mere challenge and most importantly: lack of liability.
Weaponizing an exploit is more involved than actually finding the exploit. Hacking outside the parameters of the bug bounty program creates criminal liability, and the hacker still has not been paid yet.
The highest paying bug bounties are reserved for the hardest to find exploits which the company also finds most debilitating, they are reserved for the most perceptive and highest skilled software engineers. They will have the strictest review process, all for perhaps $10,000. The same Silicon Valley companies pay this kind of software engineer at least $10,000 every week from salary alone, double that when factoring in total compensation.
Indeed, even Binance, which is one of the fastest growing companies on the planet, well positioned within one of the fastest growing sectors on the planet, has the highest tier of bug bounty rewards set at $5000-$10000. Noteworthily they have an unlisted reward range that can reach $100,000.
Weaponizing an exploit can pay a lot more. Merely disclosing that a hack occurred can wipe out untold amounts of value from a publicly traded company’s share price, taking a bet that the company share price will decrease can earn the hacker millions. Liability further nullified by trading a merely correlated asset instead of that company’s stock. If the hack actually resulted in a data breach that the hacker copied, then the hacker can now attempt to sell a lot of the data.
This leaves an open question for companies and organizations: What is the adequate price for a bug bounty? Aside from simply increasing the price for bounties — which I argue is very important — perhaps there is a better way to adequately compensate security researchers and bounty hunters.
I am particular sensitives to asymmetries. When there is an information asymmetry along with a pricing asymmetry a different approach to resolution must be considered, and that is why I built the Pareto Network.
The Pareto Network is a peer to peer intel market, where the incentive models allow for the market to decide the value of information. Initially it was to incentivize information sharing in only in the capital markets, but members use it for 0-days and software vulnerability disclosures as well.
There is no upper bound on what can be earned in the Pareto Network which allows for more practical monetization of vulnerability disclosure. Several aspects of the system are further aligned for the needs and goals of security researchers, notably how no liability is introduced from this system.
Using the best practices, security researchers can disclose anonymously and be paid anonymously, as the Pareto Network inherits payout fulfillment alongside user identity from the Ethereum blockchain and Ethereum addressing namespace respectively. All the Pareto Network knows about each member is their Ethereum address. Note that haphazard use of the Ethereum blockchain is not anonymous.
While the Pareto Network’s use in the capital markets has burgeoning utility, its use in software vulnerability disclosure has shown how it addresses information asymmetries in a variety of fields.
Now, bug bounty hunters, hackers, security researchers and more can get paid the amount their disclosure is actually worth.
Learn more about the Pareto Network here.
Bug Bounties are undervalued, mispricing led to hacker stealing $40 million from Binance was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.