Millions of dollars are available if you find technical flaws in major products that allow you to breach their systems.
How much can you get if you can use a social engineering hack to breach a system?
A Google search for “social engineering bug bounty” returns a list of programs that explicitly exclude any social engineering breach as being eligible for a reward.
At first glance this makes sense. Figuring out how to trick a human is hardly a consistent and repeatable process, so fixing it is not an easy or permanent fix. Social engineers could easily exploit the same bug over and over again.
However, whether it be most ransomware attacks or the recent Twitter hack, the vulnerable point was not in the technology, but in the human operating it. The hack was in convincing a user authorized to take administrative actions to unknowingly allow the hacker into the system. The hacks into the 2016 Democratic Presidential Campaign were also social engineering hacks.
Social engineering is not a minor attack type, but rather the mechanism behind some of the most well-known hacks in recent history.
The main argument against this is that it would rapidly get expensive because so many people would give away their password, leak important information, or click a suspicious link. I could easily see organizations losing tens of thousands of dollars in the first few months of this program.
But if a social engineering bug bounty would be extremely expensive to a company, they have a serious problem.
If you have a server on the internet, you know that it is under constant attack from automated bots pinging ports and checking to see if you left your WordPress credentials set to their defaults.
The people in organizations are equally under attack. Indeed, they are some of the most vulnerable parts of the system because nobody is routinely updating the people on new attack strategies. How many of them know that they could be targeted? How many of them could be fooled by a carefully crafted phishing email? People who can be fooled by phishing emails are essentially default admin passwords.
A technical bug that allowed an outside person to gain access to an admin account would be worth thousands, if not tens of thousands of dollars.
Gaining that same access through social engineering and reporting it to the company would get you a visit from the local or perhaps even federal police.
It shouldn’t be this way.
Companies should establish social engineering bug bounties. If you successfully obtain the Office 365 credentials of an employee, that should earn you perhaps $200. A Gitlab login or a more important login might be worth $900.
It need not be a free-for-all that leads to mass employee harassment. Social engineers could be required to register beforehand, be rate-limited in how many emails/calls they could make, and certain approaches (such as pretending to be a family member in distress) could be ineligible for rewards. They could be required to demonstrate that the credentials were obtained through some kind of social interaction rather than from some online data dump. Precise documentation of every source of phishing information could also be demanded.
Social engineering has proven its power as an attack method, especially when applied creatively. Bug bounty programs should reflect the potential impact of that.