Conversation with the head of the BI.ZONE Bug Bounty platform Andrey Levkin about the results of his platform for the year
We continue to post materials from OFFZONE 2023. This time I decided to ask its director Andrey Levkin about BI.ZONE Bug Bounty in a little more detail. We had material on this platform, but in news format. However, there is no detailed information about the platform. And although time is lost, better late than never. And at the same time you can see how the situation has changed over the year. For example, last year 300 bughunters were pre-registered on the platform, the first customer was the Avito company. By the way, this is also the second interview from the past OFFZONE, the first – with a white hat hacker with the pseudonym Caster – is hidden in the review of this event.
Tell us about the key changes and successes of the platform over the year.
The main achievement is that more companies began to use the platform: since its launch, their number has grown from 1 to 23. At the same time, they host both public and private programs.
Not only representatives of large businesses (Tinkoff, VK, Avito, etc.) who have experience working with foreign platforms came to the platform, but also companies that had not tried such a tool. We told them how to work with Bug Bounty, how to interact with bug hunters, how to describe the program so that researchers do not have questions, and what to start from when planning a budget.
As for the technical results, the most important thing here is that we were able to make it easier for bug hunters to find vulnerabilities. It was necessary to ensure that the bughunter was not mistaken for an attacker and was not blocked when he began to look for vulnerabilities. This problem was solved using a VPN. Researchers are placed in a special segment of the SOC, a special tracking area. Then it is immediately clear that this is not the activity of attackers, but legitimate research that does not need to be blocked.
And recently we made ratings and achievements. They are needed to further motivate researchers to be active and show a success story. Take, for example, Ramazan Ramazanov, head of the external pentesting department at DeteAct. In the third quarter alone, he received more than 4.5 million rubles for vulnerabilities found in programs hosted on our platform. Baghunters see how much they can earn from their knowledge.
Compared to the launch, how much has the number of bughunters on the platform increased now, a year later?
To beta-test the platform, we conducted pre-registration, and then about 300 people came to us. Now we are talking about thousands of researchers. However, we must understand that 20% of program participants produce 80% of the results. According to our estimates, there are about 200 key bug hunters in Russia, and we hope that this number will grow. These guys are the ones who understand well how to write reports, where to look for vulnerabilities, and what risks can be realized in a particular company.
If HackerOne had not left Russia, would you still have launched your Bug Bounty platform?
Yes, 100% would have launched it. We began its development back in 2021, even then the Russian cybersecurity market was ready to connect to Bug Bounty platforms. But ensuring cross-border data transfer and complying with all regulatory requirements is quite difficult and costly in terms of resources. Because of this, companies prefer to use local platforms and not transfer data about found vulnerabilities to foreign servers.
So we have seen that the Russian market is becoming more mature and is potentially ready for the emergence of a new, exclusively Russian platform. The launch of the platform was planned from the very beginning for 2022. Then we were preparing to compete with foreign players and were confident that our product had all the capabilities for this. But circumstances changed, HackerOne left Russia. This added potential clients to Russian platforms, but did not have a very strong impact on plans for the development of the platform globally.
What are the main myths about Bug Bounty today?
Let’s start with the organizations that host Bug Bounty programs. They are very afraid that it is impossible to calculate the budget. However, it is not. Budget – projected history: typically 40% will be spent in the first month. At this time, a “dam break” occurs: there is a short-term but large flow of reports and a heavy load on the team that provides triage.
Some companies are wary of working with independent researchers because they are unsure whether they can be trusted. However, on Bug Bounty platforms there are very strict, I would say, strict rules that regulate the activities of bug hunters. In case of controversial situations, the platform itself acts as an arbiter. And this is not to mention the fact that the bug hunter community itself values its reputation very much and is very scrupulous in matters of ethics. Any violator will be instantly expelled from the community, which means they will lose the opportunity to ever make money by searching for vulnerabilities again.
Bughunters have their own myths and fears. Firstly, that bughunting is supposedly illegal. In fact, the Bug Bounty process in Russia (and on our site in particular) is as transparent as possible and complies with the law. If a bughunter follows the rules of the platform, then no one can accuse him of anything.
Secondly, bug hunters fear that it will be very difficult to receive payments. But this is again a myth. We were able to automate this process. The principle is this: if the company has appointed a payment and the bug hunter has signed the documents using an electronic signature, then after 30 hours the money will be in the researcher’s bank account or card. And this is not some mythical money months later, but real payments in a short time.
Well, one last thing. Many people consider themselves not qualified enough to search for vulnerabilities. Sometimes guys don’t understand that the barrier to entry into bughunting is quite low in terms of knowledge. I still hear arguments in the spirit of “What should I do there, Ramadan has already found everything.” But this is not so: thousands of researchers have many different approaches, so everyone can find something different.
Do you have feedback on how to improve the platform?
Yes. Firstly, our platform posted its own program on Bug Bounty. Through it you can report bugs in the platform. Secondly, we have an email and telegram account for various questions. In Telegram, anyone can ask their own question – for example, about the interface, clarification of rules, controversial situations with the customer, and so on. We monitor all this without fail. We are constantly in touch with bughunters. No request will go unanswered, and we provide feedback as quickly as possible.
We also launched a separate telegram channel dedicated exclusively to Bug Bounty. We report there, for example, about the launch of new programs and increased payments.
Have bug hunters’ earnings increased or decreased with the advent of several Russian Bug Bounty platforms? Or do they not reach the level of 2022?
On the one hand, it’s hard to compete with HakerOne. There are hundreds of programs, but on our platform in Russia there are only 55 programs, including private ones (approx. author – as of August 2023). This is, of course, incomparable. On the other hand, Russian Bug Bounty platforms are growing at a tremendous pace. 55 new programs on BI.ZONE Bug Bounty in just a year is a very good result. New clients are coming to domestic sites, which means the number of programs will only increase. So yes, immediately after the departure of foreign platforms, the income of bug hunters decreased for some time, but the situation is leveling out and will continue to improve.
Is it possible to earn from 120 thousand rubles a month just by doing bughunting?
Bughunting is not really about stability. Unfortunately, you can earn 2 million rubles in one month, and nothing in the next. In fact, there are many programs on the platforms; you can participate in any of your choice, and there is no payment ceiling. If a baghunter has high competencies, he can earn several million per quarter. Beginner researchers’ income is, of course, lower, but with experience it will increase. So 120 thousand per month is quite an achievable amount and far from the limit.
Have there been any cases when a person came to the platform as a bughunter and successfully found several or many vulnerabilities and ended up on the BI.ZONE staff?
BI.ZONE staff – no, although we interviewed several people. But there are interesting cases when companies find bug hunters through profile chats and offer jobs. That is, a person who brought a lot of cool bugs is asked if he would like to work in this company in-house.
However, you need to understand: bughunters are free people. Let’s just say, artists. Therefore, many of them simply do not suit the standard office work schedule.
Well, since we started making analogies with artists, how do you now imagine the portrait of a Russian bag hunter?
In general, the audience is predominantly male, on average from 17 to 27 years old, IT specialists. But there are also female baghunters, and there are more and more of them. Most often, researchers work in large companies with a high level of cybersecurity: they have established processes, they have an understanding of how to work with vulnerabilities, and they know the concept of a red team. Moreover, these specialists are more likely not pentesters, but appseckers. Here at the conference (approx. by – OFFZONE 2023), most fit this description.
These are the results of the annual work of BI.ZONE Bug Bounty. I am glad that more and more companies are coming to the conclusion that they need to test their cyber resilience using different methods. And government agencies too. For example, just three days ago (November 10, 2023), the Ministry of Digital Development of the Russian Federation launched the second stage of a program to search for vulnerabilities on the State Services portal and other e-government services on the same platforms where the first stage was previously carried out.
Well, yes, my opinion is no different from Andrey’s: bughunting is not a very stable job. I think it’s more of a good part-time job or a paid hobby. After talking with some specialists at OFFZONE 2023, listening to the same Ramazan Ramazanov’s speech at a press conference dedicated to the results of the BI.ZONE Bug Bounty, I formed exactly this opinion. This may not be the case, especially since I’m not that versed in bughunting. I hope there are other views.
