While the payoff can be huge for the freelance bug bounty hunters, sometimes they have also been facing various challenges over their sensitive role of their work.
Ethical or white hat hackers who are working as freelancers are rewarded for discovering security vulnerabilities in computer systems that could be exploited for by black hats or malicious hackers. The payoff can be substantial or insignificant, but their work does also come with some threats. Over the years, several organizations like Google, Facebook, Apple and Microsoft have launched their own bug bounty programs offering huge reward amount for the white hat or ethical hackers. We have seen a surge in bug bounty hunters over the previous years and the motivation is both knowledge and money.
Hunter Becomes The Hunted
The bug bounty hunters who work for cybersecurity work from remote locations have the advantage of securing business networks from accidental infection by malware that escapes sandboxes and moves laterally into the network.
However, conducting threat intelligence and incident response from unsecure locations can put the threat hunters at risk of being discovered by the exact hackers they’re chasing. This process poses several issues like technical, legal, and governance. Most of the freelance threat hunters and cybersecurity experts are highly skilled and are intelligent, but can they withstand a nation-state-sponsored cyberattacks?
Malicious adversaries are growing more sophisticated, notably in their use of social engineering techniques, even when threat hunters work outside the company network. It’s difficult to disguise for bug bounty hunters who work for large organizations, key infrastructure, and other organizations. Malicious hackers want to know who the bug bounty hunters are, so they’ll employ social engineering to find out and try to break into their network. Especially if the network contains critical information or digital assets.
Dilemma of Cyber Threat Hunters
Cyber threat hunters are information security professionals who proactively detect and neutralize advanced threats that have eluded automated protection solutions. Large organizations typically hire their own threat hunters or conduct bug bounty programs to encourage security researchers offer them incentives to report the security vulnerabilities. However, in stark contrast, some organizations see the unsolicited discovery of vulnerabilities in their cyber defenses as an attack.
Enacting the laws safeguarding zero-day researchers – as these information security professionals are also known – across multiple legislations could ensure that their potential is realized and that none of them, dissatisfied with the response of vulnerability-owner organizations, joins the side of cybercriminals.
Bug Bounty Hunters Protected from Legal Threats
Generally, when the bug bounty hunters discover security vulnerabilities and then notifies the organization, it’s not always that they are rewarded. While the payoff can be huge for the freelance bug bounty hunters, sometimes they have also been targeted with legal action for copyright infringement and criminal laws that govern access or interference with computer systems.
The Register reported that the Cybersecurity Advisors Network (CyAN), a Paris-based body that represents Information Security professionals, has formed a new working group to advocate for legislation that would prevent vendors from suing when security researchers disclose them zero-day bugs in their products.
In the United Kingdom, information security professionals and a group of pro-reform academics have repeatedly urged the government to update the 30-year-old Computer Misuse Act, which is also considered as a stumbling block for those conducting threat intelligence research.
The Road Ahead
To satisfy legal and governance standards, threat hunting must be non-attributable while retaining a clear audit trail. Meanwhile, in the face of growing oversight and concerns over cybersecurity, enterprises should maintain control over environments where anti-malware research is conducted in order to meet the compliance requirements. Threat hunters can continue their work in a safe, obfuscated, sandbox that poses no legal and security risks to the enterprises. It’s all about protecting the organization at the end of the day.