Cloud and OSS risks have Bug Bounty adoption humming
By Justin Kestelyn - Head of Product Marketing, Bugcrowd
Since the invention of the internet, the risk of cybersecurity attacks has been a constant presence. But in the past 10 years, two of the most impactful trends in IT history–cloud computing and open source software (OSS)–have given that risk dimensions beyond our wildest dreams.
The good news is that crowdsourced security and bug bounty are tailor-made to help address the problem, and their adoption by hyperscalers for their cloud products and open source projects is proving it. Why? Because crowdsourced security (the process of collaborating with a "crowd" of security researchers/ethical hackers to meet security goals) and bug bounty (an economic model for incentivizing vulnerability discovery) operate at scale like nothing else.
Hyperscalers Double Down
Microsoft is an enthusiastic adopter of bug bounty, and recently announced that it paid out $13.7 million in rewards through its 17 active bug bounty programs over the past 12 months (Bugcrowd processes bounty payments for Microsoft's programs). Possibly based on the rapidly expanding attack surface associated with cloud infrastructure (including the discovery of six critical Azure vulnerabilities in 2021), Microsoft expanded its bug bounty programs in the past year, adding "high-impact security research scenarios" to its Microsoft Azure Bounty Program.
Although Amazon Web Services has a less systematic approach to crowdsourced cybersecurity than Microsoft to date, it does accept vulnerability submissions for its cloud products and open source projects, and provides public infrastructure for running private bug bashes (with a goal of squashing 1 million bugs, collectively).
Beyond cloud infrastructure itself, cloud applications are inherently at risk due to potential misconfigurations or data exposure, insecure APIs, lack of tenant isolation, and numerous other reasons. As Bugcrowd Founder/Chairman/CTO Casey Ellis has remarked, "A lot of people would just assume that [security] is all sorted when they go to use a cloud provider — and might be a bit surprised to find out it's not."
Google Brings Bug Bounty to Open Source
Meanwhile, in August 2022, Google rolled out a new self-managed bug bounty program focusing solely on Google's open source projects. The new Open Source Software Vulnerability Rewards Program (OSS VRP) will offer vulnerability rewards that range from as low as $100 to slightly over $31,000, with possible bonus increments that range to $1,000 in the case of a "particularly clever or interesting" vulnerability.
Google was an early adopter of bug bounty through what is now called its Bug Hunters Community, with 12 years of experience and more than $38 million in payouts on record. In 2021, Google disbursed a total of $8.7 million in bug bounty rewards to nearly 700 security researchers across 60 countries.
This new program is another proof point that the open source software supply chain has become nearly impossible to defend with traditional means due to complex dependencies, constant code churn, increased opportunities for malicious code injection, and other factors. In its announcement, Google cites a 650% year-over-year increase in open source ecosystem attacks, including the recent major incident involving Log4j.
Next Steps
Now that cloud adoption and open source software are ubiquitous, more security leaders are learning the lesson that Microsoft and Google learned years ago: that status-quo, reactive approaches to cybersecurity alone fall short as scale grows–and nothing says "scale" like cloud and OSS.
Justin Kestelyn is Head of Product Marketing at Bugcrowd. Previously, he held product and developer marketing positions at Google Cloud, Cloudera, and Oracle.