The challenge of managing bug bounty programs for the Internet of Things will be a topic of discussion at the third annual Security of Things Forum in Cambridge on September 22nd.
Rajesh Krishnan of the bug bounty firm HackerOne will present a talk entitled “Device Hacking in the Age of Bug Bounties.” In his talk, Krishnan will present data and a framework for the IoT Bug Bounty program of tomorrow.
[Use this link to register for Security of Things Forum, Sept 22.]
Bounty programs are one of the most notable developments and improvements in the information security space in the last 15 years. They mark the critical shift in thinking about hacking from one which viewed it as a quasi-criminal activity to a perspective of hacking as a critical skill for assessing the quality of software products. Incentive programs (aka “bounties”) aimed at vulnerability researchers have since become the preferred method for soliciting the attentions of talented vulnerability researchers.
Bounty programs aren’t new. Netscape launched the first such program in 1995 to find holes in its browser code. But the programs have attracted increasing attention from outside the software industry in recent years. Firms like HackerOne and Bugcrowd have attracted venture funding by offering to streamline bounty programs for a wide range of industries unused to dealing with finicky hackers. Among them: financial services and banking, automotive and manufacturing. Even old economy giants like GM have gotten into the act. That company launched a bounty program on the site HackerOne earlier this year.
But The Internet of Things presents challenges for would be bounty program hosts that simply don’t exist for, say, web applications, mobile applications or more traditional fare.
Hardware components like system on chips (SOCs) require special knowhow to analyze and can obscure potentially serious vulnerabilities that reverberate throughout a supply chain. Bounty programs must also address the entire IoT lifecycle from design to manufacturing.
“You can hack a website a million ways and the website should stand up to them all. Hardware can’t handle that,” Krishnan says. “Testing can involving breaking. Sending a voltage spike through a consumer device… can fry the device. The cost and effort of hacking goes up dramatically.”
That means that bounty programs will have to flex to address the unique challenges of the hardware space.
“IoT bug bounties may have to break from the pay for results model. There may be a need for pay per effort and pay per result,” he said.
In his presentation at The Security of Things, Krishnan will provide an overview of how bug bounty programs work including how market prices are set for vulnerabilities and delve into the unique challenges for hardware hacking, as learned from a 2016 HackerOne workshop held on the topic in Palo Alto and not previously discussed by the company.
We hope you can check it out!