**
Why Bug Bounty Schemes Have Not Led to Secure Software
**Katie Moussouris, a white hat hacker and security expert, has been at the forefront of bug bounty schemes for years. She was instrumental in persuading Microsoft and the Pentagon to offer financial rewards to security researchers who found and reported serious security vulnerabilities. Since then, bug bounty schemes have proliferated, with some companies offering awards of $2m or more to those who find critical security vulnerabilities.
Moussouris believes that bug bounty schemes have failed in their purpose of making software secure. "Intrinsically, it is exploitative of the labour market," she says. "You are asking them to do speculative labour, and you are getting something quite valuable out of them." The problem lies in the fact that people only get paid if they are the first to find and report a vulnerability. Those who put in the work but get results second or third get nothing.
Moussouris likens security vulnerability research to working for Uber, only with lower pay and less job security. She argues that this creates an uneven playing field, where some researchers can make a living by finding medium-risk vulnerabilities that may not pay as well as the high-risk bugs but are easier to find.
However, most security researchers struggle to make a living as bug bounty hunters. "Very few researchers are capable of finding those elite-level vulnerabilities, and very few of the ones that are capable think it is worth their while to chase a bug bounty," she says. "They would rather have a nice contract or a full-time role."
**The Dark Side of Bug Bounty Schemes**
Another issue with bug bounty schemes is the legal risks faced by security researchers. Moussouris points out that anti-hacking laws, such as the UK's Computer Misuse Act and the US's draconian Computer Fraud and Abuse Act, can put researchers at risk.
When Moussouris joined Microsoft in 2007, she persuaded the company to announce that it would not prosecute bounty hunters if they found online vulnerabilities in Microsoft products and reported them responsibly. Other software companies have since followed suit. The UK government has now recognised the problem and promised to introduce a statutory defence for cyber security researchers who spot and share vulnerabilities to protect them from prosecution.
However, many software companies insist on security researchers signing a non-disclosure agreement (NDA) before paying them for their vulnerability disclosures. This flies against the best practices for security disclosures, which Moussouris has championed through the International Standards Organisation (ISO).
**The Rise of AI and its Impact on Bug Bounty Schemes**
The rise of artificial intelligence (AI) could make white hat hackers redundant altogether. But perhaps not in a way that leads to better software security. All of the major bug bounty platforms in the US are using AI to help with the triage of vulnerabilities and to augment penetration testing.
An AI-powered penetration testing platform, XBow, recently topped the bug bounty leaderboard by using AI to focus on relatively easy-to-find vulnerabilities and testing likely candidates in a systematic way to harvest security bugs. "Once we create the tools to train AI to make it appear to be as good, or better in a lot of cases, than humans, you are pulling the rug out of the market," Moussouris warns.
The current generation of experts with the skills to spot when AI systems are missing something important is in danger of disappearing. "Bug bounty platforms are moving towards an automated, driverless version of bug bounties, where AI agents are going to take the place of human bug hunters," she says.
**Government Intervention Needed**
Moussouris believes that governments will have to step in and change laws to make software companies liable for errors in their software. "All governments have pretty much held off on holding software companies responsible and legally liable, because they wanted to encourage the growth of their industry," she says.
"But that has to change at a certain point, like automobiles were not highly regulated, and then seatbelts were required by law." She argues that this is necessary to prevent the exploitation of labour market vulnerabilities and to create a more secure software ecosystem.
**Growing Tensions between Governments and Bug Bounty Hunters**
The work of bug bounty hunters has also been impacted by moves to require software technology companies to report vulnerabilities to governments before they fix them. China introduced such a requirement in 2021, which required tech companies to disclose new vulnerabilities within 48 hours of discovery.
"It was very clear that they were going to evaluate whether or not they were going to use vulnerabilities for offensive purposes," Moussouris says. The European Union (EU) has also introduced the Cyber Resilience Act (CRA), which introduces similar disclosure obligations, ostensibly to allow European governments to prepare their cyber defences.
Moussouris is a co-author of the ISO standard on vulnerability disclosure and argues that this approach will widen the pool of people with access to information about vulnerabilities, making leaks more likely. She warns that hostile nation-states will exploit this system to learn new security exploits.