New: My two-month investigation of the bug bounty platforms reveals serious concerns about their business practices, and accusations that NDAs are being used to cover up security issues. 1/
csoonline.com/article/353588… @CSOonline
csoonline.com/article/353588… @CSOonline
HackerOne's latest annual report claims they have 600,000 hackers. But do they? More likely 600,000 email addresses. CEO Alex Rice told me in 2019 only 9,650 finders filed valid vulnerability reports on H1. That's a difference of two orders of magnitude. 2/ 
Bugcrowd is playing the same game. When I challenged their numbers, they were unable to offer any clarification. Both platforms appear to be stretching statistics to the breaking point of credulity. 3/
So what's the harm? Yet another Silicon Valley startup with VC-fueled fever dreams of a unicorn exit. *yawn*
But when that aggressive greed results in silenced security researchers, unfixed bugs, and ignorant policymakers, then Houston we have a problem. 4/
But when that aggressive greed results in silenced security researchers, unfixed bugs, and ignorant policymakers, then Houston we have a problem. 4/
The platforms, and their customers, use bug bounties (as the carrot) and safe harbor promises (as the stick) to enforce non-disclosure.
In at least one case, we found a H1 client who demands non-disclosure in exchange for a safe harbor commitment. 5/
In at least one case, we found a H1 client who demands non-disclosure in exchange for a safe harbor commitment. 5/
How much are safe harbor promises worth, if you're a good-faith security researcher? Depends on the safe harbor language, the jurisdiction, and the result of any litigation. Safe harbor is more a "scout's honor" promise than a binding legal contract. @eff weighs in: 6/
Now let's talk about labor law. The bug bounty platforms almost certainly violate California's #AB5, as well as US federal labor law, according to law professor @veenadubal. 7/
#GDPR. Are multinational companies complying with their data breach notification requirements when a bug bounty hunter discovers PII? GDPR expert Joan Antokol, who works closely with EU regulators, weighs in. 8/
NDAs for bug bounties are not compliant with either the spirit or letter of ISO 29147 or ISO 30111, the standards' co-author @k8em0 tells me. 9/
I have lumped HackerOne, Bugcrowd and SynAck together under the umbrella "bug bounty platforms." But they are distinct in personality and business practices. I would rate the signal-to-noise ratio of their marketing in reverse order to their market position: SA, BC, then H1. 10/
Big takeaway:
Bug bounty platforms are *not* a scalable Silicon Valley business model. They are, at best, a modest value-add consultancy business. It's high time all three companies reined in their unrealistic ambitions for the good of society. 11/
Bug bounty platforms are *not* a scalable Silicon Valley business model. They are, at best, a modest value-add consultancy business. It's high time all three companies reined in their unrealistic ambitions for the good of society. 11/
