While having a discussion with a close friend recently, the topic of bug bounties came up. She asked me what I thought was a reasonable price range. I learned from discussion with her as well as discussion with others that the physical security world is massively different from the IT world in this sense.
Often in our lectures and trainings, we draw a parallel between the physical and digital realms. The same principles apply, the same kinds of errors lead to the same risks and the same lessons learned. However — and there’s really no getting around this — the cost to repair/upgrade/patch physical systems tends to be much, much higher.
For this reason, manufacturers of locks, access controls, and other physical security technologies are much more loathe to even discuss (let alone disclose) vulnerabilities with the public. Likewise, because of the very long persistence that physical bugs tend to have (even when they do become public), this sort of attack vector can be weaponized to much greater effect.
While bug bounties in the software world tend to float around the low four-figures (although occasional high-four-figures and five-figures do happen, and sometimes garner a bit of attention when they do… and six-figure bug bounties have existed very, very rarely) I took the position that just about anyone whom I know in the physical security world would scoff at numbers in the $1,000 to $5,000 range. Well, perhaps not scoff, but most assuredly we would consider them almost comically low.
In the realm of physical security exploits and the development of tools that leverage such vulns (a development process that often entails far more cost and time than the writing of proof-of-concept code for software bugs) this kind of research often commands five-figures at a minimum. Such deals also almost always entail NDAs and other very strongly-worded agreements to effectively never publicize said research. Put plainly, if a physical security researcher finds a flaw in a high security lock, the market for that work tends to be either governments or private firms with deep and often shadowy connection to government operators. A working tool that can be used to attack a physical security system often commands far more in the private realm than a designer would ever hope to recoup by bringing it to market publicly through retail channels. Add that to the fact that most designers and vendors in the hardware and physical security space aren’t courting researchers with fiscal rewards, and this leads to a LOT of hardware bugs (lock flaws, access control system hacks, safe manipulation tools, etc) never being revealed to the public at large.
Let us make no mistake, the government and the law enforcement are interested in your data, too. Their eyebrows perk up at the notion of software flaws and privilege escalation within networks or computers… but what really gets a lot of spooks and police salivating is the chance to surreptitiously enter physical relams. Intelligence gathering, eavesdropping, sneak and peek work, etc… all of this is based greatly around physical access, and that means possessing attack vectors against supposedly high-security lock systems which the public believes to be immune from vulnerabilities.
Unless physical security vendors consider offering genuine bug bounties (something that is far from likely if they aren’t yet even interested in public disclosure of discovered flaws) the only avenues for researchers are going to be:
1. public disclosure simply for the sake of the community and for the fun of speaking at hacking and security conferences
2. private sale to governments who will undoubtedly use this knowledge for purposes of surveillance and covert entry
So, give a cheer for every hacker con which accepts a talk with a physical security angle. The speaker may have turned down considerable funds in exchange for being able to present to you. And the topic areas, while sometimes not-the-norm, are far better aired publicly than kept quiet.
NOTE – This post was not supposed to turn into a “let’s pat ourselves on the back here in the phys sec world” diatribe, so forgive me for that. Still, I’m pleased to be able to report that — as of the time of this writing — The CORE Group has never accepted any offer of keeping research private in exchange for money, access, or favors. Our works are always either portrayed publicly and/or disclosed to the original vendor so they may endeavor to correct said problems.