Crowdsourcing the hunt for software bugs is a booming and risky business

Additionally, at a time when experts predict that 3.5 million cybersecurity jobs globally will be vacant by 2021 due to lack of skilled workers, freelancers can ease some of the pressure on internal teams. .

Still, the platforms face some big challenges. One is to continue to expand the pool of talented bug hunters. Another is to establish greater legal clarity on the tools and techniques that ethical hackers can safely use. Popular tactics such as the use of injection attacks, which involve inserting code into software applications that could change the way programs are executed, could potentially lead to prosecutions under anti-piracy laws such as as the United States Computer Fraud and Abuse Act (CFAA).

There have already been instances where security researchers and journalists have faced legal action for discovering and reporting vulnerabilities in company code. It would only take a few high-profile lawsuits to have a chilling effect on the industry.

University of hackers

To meet the talent challenge, crowdsourcing platforms are releasing much more content to help hackers improve their skills and attract more people to work together. Bugcrowd just unveiled Bugcrowd University, which offers free webinars and guides written on things like Burp Suite (yes, that’s really the name), which is a graphical tool for testing web application security.

The platform also works with experienced ethical hackers to help it identify and train promising freelancers. The best recruits are curious, tenacious, and ready to adapt quickly. “Technology changes so quickly that it is often difficult to catch up [with it]Says Phillip Wylie, Bugcrowd’s Dallas talent scout.

HackerOne is also releasing more training material and training freelance bug hunters – who can be quirky and sometimes abrasive characters – in soft skills such as more effective communication with corporate IT departments.

Legal air coverage

Legally, the platforms are pushing for more “safe harbor” terms to be inserted into contracts governing bug bounties. The goal, says Adam Bacchus of HackerOne, is to make companies understand that if hackers follow the rules of engagement within reason, they will not be prosecuted.

Bugcrowd has partnered with Amit Elazari, a security researcher whose work has highlighted the need for a Safe Harbor language, to launch an initiative called disclosure.io to create a standardized framework for finding and reporting bugs. This would provide explicit permission for the use of bug-hunting techniques that would normally be clear violations of the provisions of anti-piracy laws.

It complements a larger push in the United States by groups like the Electronic Frontier Foundation to stop companies from using laws like the CFAA to silence researchers who find serious loopholes and responsibly disclose them.

Casey Ellis, founder and chairman of Bugcrowd, says other countries, like the UK and Germany, also have strict anti-piracy laws that could be used to thwart ethical hacking.

Such laws are necessary to prevent hackers of all kinds from causing havoc. The challenge ahead is to find a reasonable balance between protecting ethical hackers and protecting businesses from bad guys who want to cause damage. Getting it right won’t be easy, but given the serious talent shortage in cybersecurity, it’s an issue we urgently need to address.

Update (August 27): This article has been updated to show Amit Elazari’s role in the unlock.io launch