Welcome to FedBounty, a federally sponsored bug bounty program covering every business in the United States. FedBounty was established as a way to bolster our national defenses against the rising tide of cyberattacks impacting our economy and institutions. FedBounty's goal is to nurture the next generation of hackers into America's future cyber army and provide them with legal protections to allow them to grow their skills and strengthen our long term security.
Because FedBounty covers every business in the country it creates a system where security researchers can help even the smallest businesses improve their security and be rewarded for their efforts, either through recognition or financial rewards.
FedBounty is an effective national response to the rapidly growing capabilities of organized cybercrime and nation state cyber threats, one which allows us to nurture home grown talent in defense of our national economy and reward their efforts via small financial payments to the most productive participants in the program. It enables us to focus our most talented young people on helping the most insecure and vulnerable elements in our economy, increasing their skills and knowledge in the process.
Of course, FedBounty does not really exist. But it should, because...
Our Cybersecurity Researchers Need Legal Protection
Right now if a security researcher discovers a major vulnerability and tries to notify the organization who owns that vulnerability, they face a pot luck dip of a) a nice bounty, b) a nice thank you, c) being ignored, d) being threatened, or e) being put in prison. Remember that these security researchers are trying to do the right thing and responsibly disclose a potentially serious vulnerability to organizations.
When you consider that the researcher could quite easily have sold the vulnerability to cybercriminals, or used it themselves to commit cybercrime, you realize that they really are doing a favor for the organizations that they perform research on.
It could just as easily be a foreign cybercriminal (black hat hacker) who finds that vulnerability to exploit for illegal commercial gain and it is infinitely preferable that a security researcher (white hat hacker) tries to responsibly disclose it instead.
There are some good reasons for providing security researchers with legal protections they need and I think the three most important reasons are:
1) It Strengthens Cybersecurity Nationally - We absolutely want these security researchers to be free to conduct their work with impunity, providing that they do the right thing and responsibly disclose, their work is invaluable to our national cybersecurity efforts and the white hats in our space deserve legal protection in return for their efforts. Failing to provide them with legal protections is going to undermine national cybersecurity efforts over the long term because it denies businesses the opportunity to tap into an enormously powerful resource that is our homegrown white hat cybersecurity ecosystem to improve their security.
The return on investing in legal protections for US based security researchers will be improved cybersecurity nationally in the public and private sectors.
2) It Forces Organizations To Take Researchers Seriously - Too often are security researchers ignored by businesses who want to ignore the problem until its too late, too often are they threatened with legal action by businesses who seek to protect their own reputations before they protect their data and IP and too often are security researchers at serious risk of imprisonment depending on which kind of law enforcement officers that get involved and the state or jurisdiction they are in. We need organizations to view researchers and their discoveries as a vital element in our national cybersecurity strategy and treat them as allies instead of enemies.
Forcing organizations to deal with legal researchers seriously will pay dividends in terms of the speed and rate at which these vulnerabilities are remediated.
3) It Creates A Breeding Ground For A Future 'Cyber Army' - Not a day goes by without us hearing about the great 'cyber skills shortage', at a time when we can clearly see the increasing cyber capabilities of our nation state enemies and organized crime, we absolutely need to be encouraging our local talent. Providing the right legal protections would encourage a generation of our young people into action on a national scale and provide them the protections they need to safely grow their skills and knowledge as mature into becoming our future cyber army.
Providing legal protections for researchers allows us to nurture the next generation of cyber defenders and foster a national ecosystem of cyber talent.
We Need A National Cybersecurity Register
When a security researcher discovers a cybersecurity vulnerability or data breach in a business, they may disclose to the organization, but rarely does it get reported to anyone else unless they are completely ignored. Out there researchers are discovering countless vulnerabilities and we have no idea how many there are, how serious they are, or if they have been remediated. A National Cybersecurity Register where security researchers can register their discoveries with a third party as they responsibly disclose to the affected organization would serve three purposes:
1) It Provides Us With National Visibility Into The Problem - A register would provide us with a wealth of data we could leverage strategically and allow us to build up a historical record of organizations, industries and sectors with bad cybersecurity practices. If a security researcher had to register a serious discovery as they disclosed it, it would create a base of records that would help us build up an accurate picture of 'problem' organizations, industries and sectors which needed more attention and focus. It would provide us with intelligence into the state of cybersecurity nationally and help us shore up cyber defenses in critical sectors.
It is not good enough that our cybersecurity ecosystem toils away in darkness, we need to know where our defenses are weak so we can better protect ourselves.
2) It Provides A National Disclosure Framework - There is no universally recognized legal framework for disclosure and remediation that organizations are required to accommodate, the best we can do is a set of recommendations issued by a number of different organizations, disjointed state cybersecurity laws that are not applied nationally and cybersecurity compliance regulations imposed on specific industries. In its place we need a clear national framework for the reporting and remediation of cybersecurity vulnerabilities that organizations can follow.
We need a national framework that places reporting requirements on stakeholders and a process which stakeholders can follow to ensure fast remediations.
3) It Provides A National Record Of Effort - In a world where cybersecurity vulnerability disclosures often go unrewarded, being recognized is often the only payment that security researchers might ever get and a lot of the time they do not even get that. If we recognize the achievements of our researchers, it would lay the foundation for a system of rewards and recognition and enable us to target efforts on strategically important organizations, industries and sectors. You would not have to financially reward every participant if you properly recognize and record the participants efforts to financially reward the most productive among them.
Gamification of the system would enable us to focus researchers efforts on the most vulnerable parts of our economy and reward the productive for their efforts.
We already know that bug bounty programs providing a legal framework for researchers to discover and disclose cybersecurity vulnerabilities at large public/private organizations can be an effective tool of cyber defense These programs need to be extended to include the most vulnerable parts of our economy, small and medium sized businesses which lack the resources and knowledge to properly protect themselves against the evolving cybersecurity threat landscape.
A national bug bounty program, one underwritten by the federal government and bound into law with protections for researchers and a system of rewards would allow us to focus our efforts on the most vulnerable parts of our economy while bolstering our national cybersecurity defenses at the same time. It would allow us to nurture and grow the next generation of cybersecurity professionals and help us maintain a competitive national cybersecurity lead over the long term.
Through the implementation of reporting and remediation requirements, combined with a simple system of recognition and rewards for participants, we could leverage a continuous and ongoing national bug bounty program to create a national culture of cyber awareness and strengthen national cyber defenses in a grass roots way.
What we really need to withstand the growing global cyber storm is FedBounty.
Young people always ask me the same question "how can I get into cybersecurity?", what I really want to tell them is "register with FedBounty and start hacking".
** Whats that? You like my crazy ideas? Then follow me on Twitter! **