Over the past twelve months, we’ve heard about CEOs getting serious about cyberthreat, the growing equity of CISOs and data privacy and safety rising to the top at the boardrooms. Now juxtapose these talking points with the fact that Google paid out record sums in 2019 as part of its bug bounty programs.
In case you missed the joke, here it is stated in plain English: If enterprises are really keen on keeping data safe and ensuring its privacy why would they be paying millions to researchers for uncovering vulnerabilities across a company’s product range and its services? Does this sound like the cops outsourcing security to neighbourhood watch schemes, right?
In its security blog, Google says, “Our Vulnerability Reward Programs were created to reward researchers for protecting users by telling us about the security bugs they find. Their discoveries help keep our users, and the internet at large, safe. We look forward to even more collaboration in 2020 and beyond.”
Ahem! What was that Sundar Pichai said about privacy being at the heart of what Google does? In case you’ve missed that quote, here it is: “For us, privacy is at the heart of what we do,” Pichai said. “Users come to Google at very important moments, ask us questions, we deal with people’s sensitive information in Gmail, Google Photos and so on, and so we have to earn their trust. Today we do it by giving them control and transparency and choice around it.” He said so at the recent Davos Summit, so it’s not as though it’s very old hat.
And now, Google reveals that under its Vulnerability Rewards Program that’s been running for a decade now, the company witnessed a record-breaking performance. The company has spent $21 million on bug bounties with 461 researchers getting paid last year itself. Alpha Lab’s Guang Gong was the biggest winner (over $200,000) for spotting a bug on Pixel 3.
In fact, Google seems to be among a host of companies that’s pushing the envelope when it comes to the bug bounty programs. Last year, Google boosted the Android security rewards by ramping up the maximum prize of a million dollars for finding bugs that could potentially compromise the Titan M security chip that’s part of the Pixel smartphones.
The fact that total expenditure has grown ten times from $2 million in 2015 to $21 million four years hence suggests that there are either more breakages in Google’s codes or maybe there’s just too many ethical hackers out there seeking to make some extra cash.
By the way, Google isn’t the only one seeking hacker support. Microsoft launched their bug bounty program for the Xbox gaming platform yesterday under which it promises to cough up between $500 to $20,000 for vulnerabilities found in the Xbox Live network and services. It says anyone can submit vulnerabilities, be it gamers or security experts.
While hacking is now an accepted profession where people can earn a honest and decent living, the fact remains that remaining ethical or going rogue is a personal choice and the bugs bounty programs do not cover for the latter category of personnel who may wait for the right time to stop disclosing the vulnerability.
Of course, there are several bug bounty platforms such as HackerOne or BugCrowd where the team does penetration testing and discloses vulnerabilities to the companies or at other times the enterprises themselves hire one of these platforms to probe its infrastructure, websites for potential vulnerabilities as was the case with Microsoft Azure.
However, the question that jumps to mind in this rigmarole is where does the enterprise start outsourcing and where must it stop and take total ownership? Perhaps that’s a debate for experts at the next cybersecurity workshop.