Crowdfense to expand scope and funding for bug bounty program
UAE-based Crowdfense has invested almost $10m in zero day exploits since April
UAE-based bug bounty specialist Crowdfense will expand funding for its bounty program, and the scope of zero day exploits which it seeks to acquire.
The expansion comes after the company has paid out almost all of its $10m bounty fund that it started with at launch in April, and expansion of its customer base and the number of researchers that supply it with zero day exploits.
Crowdfense also successfully launched its Vulnerability Research Hub (VRH) in September.
The company, which has offices in Masdar City, and is funded by backers from the region, was established to trade in zero day exploits in Android, iOS, Windows and Mac. The company buys zero days from security researchers, to supply them to law enforcement agencies and other government entities for use in legitimate surveillance programs and other legal uses.
Andrea Zapparoli Manzoni, director of Crowdfense, told ITP.net that the company is on track to invest all of the $10m initial fund it had allocated for bugs this year, and will increase its funding for next year.
Crowdfense is also expanding the remit of its program, to include zero day exploits in common applications and utilities that can be used as a vectors for hacking PCs and mobile phones, but it will not buy exploits in systems such as IoT, SCADA, wearables and so on, which could potentially be harmful.
The program is being expanded, he explained, owing to improvements in security in desktop and mobile OS, and a competitive market, meaning that the company and the researchers that it works with, are having to look harder to find ways into systems.
"For the first year we focused on relatively easy targets for the purposes of our customers - browsers and mobile devices. But there is a class of consumer products that are installed almost everywhere like Acrobat, utilities like zip, which are also part of the attack surface, of our targets," he said.
"The fact that we are expanding the focus of our bug bounty program is also due to the fact that vendors are improving the security of browsers and mobile devices, to a point where it gets harder and harder to successfully attack them, so we need to have more options."
Manzoni also said that the company has pleased with the generally positive response it has received from the market. Although software vendors and the more shady players in the bug bounty market have largely ignored the company, he has had positive feedback from security researchers, and even from competitors towards Crowdfense's attempts to professionalise the market and improve transparency.
"We were surprised by the quality and the quantity of the the offers that we received - considering we are the latest company to join this space, there is also a trust issue, but we have managed to transmit the message that we have a very professional [approach], and therefore we attracted a lot of interest.
"In fact, the way we are putting things, forces people to discuss with us. It is not easy for people to point the finger at us and say 'these are arms dealers' because we are trying to be open, to discuss what we are doing. So people's reaction is either the y ignore us, or if there is a discussion, they take us seriously," he said.
The company officially launched its Vulnerability Research Hub in September, and Manzoni said that this has also been well received. The hub, which is a marketplace for bug researchers and brokers to share and trade zero-day vulnerabilities, did attract some hacking attempts and fake registrations at launch, he added, presumably from curious competitors or researchers.
The VRH now has a base of around 30 regular researchers who are working with Crowdfense, and the company is keen to attract more talent.
One of the ways to do this will be the addition of a ‘firing range' to the VRH, which will offer a free-to-use sandbox for researchers to try our all levels of hack and exploits against selected systems. The aim is to encourage young hackers to develop their skills in a secure environment, using the most extreme techniques. This will also help the company talent spot new researchers who could contribute in future.
The company is also considering offering targeted hacking challenges, which will task researchers with discovering unknown exploits in well defended, up-to-date systems, as well as developing a knowledge base and training resources for its research partners.
The hacking challenges will also help to develop new talent, as well as assist the company in keeping ahead of new developments in technology. The improvements in platform security is making it harder for bug traders like Crowdfense to operate, and Manzoni expects some companies at the lower end to go out of business. Crowdfense believes that investing in young talent will enable it to keep finding new exploits to sell to its customers.
"There is a new generation of young talent, and by attracting them, we will also be able to see if someone is really talented, and maybe propose a contract [for them]," he said. "It is the best way to create a community of developers that work with us.
"What we really find hard today is we have to scout the market [for exploits], when we find something interesting, our customers don't need it, and when they need something, we cannot find it. The biggest problem is due to the short lifespan of these products, maybe the customer has an urgent requirement, but it can take three months to find it. So we are trying to develop a network of people to shorten the gap as much as possible, which means we will be able to give our customers what they need, when they need it."
Manzoni said that Crowdfense is also consider ‘conditional disclosure' of zero day exploits, which would help to close vulnerabilities that are out-of-date, but still live, for example in older versions of operating systems. Such disclosure would be sensitive, both for vendors who might have been running vulnerable systems for a long time, and also for other security entities who might secretly be exploiting that bug, but discrete disclosure under certain terms could help overall market security.
"When one of our vulnerabilities is still unpatched, but not used anymore, we could disclose it, which would be a service to the community," Manzoni said. "It is like when you have a used weapon, it is still dangerous, even though you have newer weapons."