Crowdsourcing Security

The old proverb says that “if you want a thing done well, do it yourself”. Rubbish. If you want a thing done well, get a few thousand other people to do it for you. No matter how good you are, the combined efforts of a few thousand other people is going to be better. Take security as an example. The reason why businesses keep getting hacked is because 10,000 hackers will always trump 100 code testers and auditors. Whatever loophole is missed by your people, the black hat hackers will have the motivation and the manpower to find it and exploit it. So how do you beat those 10,000 black hat hackers, wanting to steal your secrets and/or money?

Facebook have a solution that is on the right lines, with crowdsourcing as the key component. They do as much as they can internally, but then they also engage thousands of white hat hackers on their side. Facebook proved the worth of this approach in 2010, by adopting a policy which clarified how users should report security issues, and which gave users the assurance that they would not be held legally liable for the consequences of their research. This generated a lot of kudos for the oft-maligned social network; The Electronic Frontier Foundation went as far as applauding Facebook for their transparent stance on vulnerability disclosure. But the policy did more than earn kudos for Facebook. It rewarded Facebook, as white hat hackers found and disclosed previously unknown weaknesses, giving Facebook the chance to fix them. Now Facebook has taken the next logical step, by paying money to those who notify them of security bugs; you can read about Facebook’s ‘security bug bounty’ here. Bounties for individual bugs range from USD500 to USD5,000, and they have proven to be an enormous success. According to Facebook’s security blog, the bounty program paid out USD40,000 during its first three weeks. One person earned USD7,000 for the six issues he identified. It shows that Facebook is backing the intelligence of the social network, using the wisdom of crowds to shore up its defences. In a world where many security experts aim to promote themselves and earn revenues by publicly demonstrating the exploits they have devised, it makes perfect sense to use the internet to create a rapid-fire marketplace, with minimal middle-men and the fastest possible exchange of information. It is better to buy the knowledge of security flaws as quickly as possible, than do nothing and allow that knowledge to be sold through a market run by the black hat hackers and criminals. Expect other joined-up internet firms to follow Facebook’s lead.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.