Over the past several years, the cybersecurity industry has reaped tremendous benefits by tapping into the wisdom of crowds. It’s done so through the rapid adoption and maturation of the bug bounty concept.
Through bug bounty programs, enterprise organizations, software developers, and websites entice independent security researchers to find and report previously unknown vulnerabilities in their systems and code in exchange for payment and recognition. The idea is that the crowdsourcing organization can gain countless extra pairs of eyes to help it find dangerous flaws that its security team may have missed, thereby adding an extra layer of assurance to its vulnerability management program.
Bug bounties are hardly a new concept—they’ve been around for decades. But the advent of commercialized platforms and coordinated research communities built up by a legion of growing bug bounty vendors like HackerOne, Bugcrowd, and Synack has recently accelerated the profile of bug bounties in the public and private sector.
As the security industry examines the positive impact being made by bug bounties today, now may be the time to think about how crowdsourcing can be successfully extended into other areas of cybersecurity. As we build out a new platform for the dissemination of quality threat hunting content, we at Cyborg have identified threat hunting content with associated contextualization as one of the most promising domains into which cybersecurity can port the bug bounty concept.
All around the world there are many passionate security analysts and threat hunters who spend countless hours tracking down threat behavior and building profiles of the tactics, techniques, and procedures (TTPs) used by specific adversaries today. They create invaluable content that puts together vibrant pictures of threat activity, but much of that work happens in isolation. The product of their labor might be used by one organization, or perhaps a handful of others through some limited sharing within professional or industry groups.
But what if these talented minds were given the motivation to create more content like that and the opportunity to broadcast that content in exchange for remuneration? What if the industry could tap into threat hunting content from an army of analysts? With the right design, we believe that content bounty programs could provide security organizations tremendous benefits.
Cyborg is currently endeavoring to build out a community function as a part of our threat hunting content platform. In doing so, we’d like to start running content bounty programs that can extend the expertise provided by our own expert threat hunters to countless more who are fighting the good fight throughout the cybersecurity community. Our content bounty program is still a work in progress, but the idea is that we will extend challenges for new threats and accept content submissions focusing around specific parameters. We’ll then reward cash prizes to not just the top submissions but to our bounty community as a whole, within the rules of the program.
Like with bug bounty programs, nothing will replace the formalized hunting provided by in-house hunters and vendor assistance. However, content bounty programs could add an additional layer of assurance and coverage in the search for new malicious TTPs.