The New Era of Threat Bounty Program
Table of contents:
How Crowdsourcing Shapes Future Cyber Defense Strategies
Crowdsourcing is one of the key pillars for building advanced cyber defense capable of addressing the new challenges of the modern threat landscape. With over 30K new vulnerabilities being discovered solely in 2023 and cyber attacks occurring every minute, standalone teams can hardly cope with the avalanche of existing threats. Knowledge sharing is a must to outspeed and outsmart adversaries.
By aggregating data and insights from multiple sources, crowdsourced threat detection initiatives provide a richer understanding of the attack surface and enable faster and more coordinated responses. This collaborative approach optimizes resources, ensures real-time information sharing, and fosters continuous improvement through an iterative feedback loop. With its global reach and capacity for innovation, crowdsourcing builds a resilient and scalable defense network, driving effective, community-driven cybersecurity practices to combat sophisticated and evolving cyber threats.
Being the evangelists of the collective cyber defense approach, at the third EU ATT&CK community workshop in May 2019, SOC Prime launched the industry-first bounty program for cyber defenders. Marking the 5th anniversary of the Threat Bounty Program, we introduce the enhanced toolset and extended capabilities for contributions, reflecting core principles of modern cybersecurity and providing the members of the crowdsourced community with SOC Prime’s most advanced technologies for detection engineering.Â
Back to the Roots
Acknowledging personal excellence and recognition of authorship rights are fundamental to SOC Prime’s initiative that unites specialists worldwide and provides them with the opportunity to contribute to global cyber defense.
The Threat Bounty initiative received support from the members of the cybersecurity community who rushed to apply and pre-register for the Program following the announcement. As a prompt reaction to community readiness and demand, we launched the Developer Portal in early June 2019, which served as the main hub for contributing detection rules to SOC Prime for five years.Â
Since day one, SOC Prime’s Threat Bounty Program has been known as a trusted and supportive environment for those willing to challenge their detection engineering skills and earn some cash while observing how their detection rules help companies all over the globe withstand emerging or known cyber threats.
The Program’s development and transformation have always been aligned with industry and technology evolution, enabling us to maintain high professionalism and motivation for those willing to expand their detection engineering practices and be part of the crowdsourced Blue Team providing detections to organizations worldwide. These days, we are taking the user experience of Threat Bounty members to an entirely new level, equipping them with the most advanced SOC Prime technologies and tools for detection engineering. Â
Steering the Community
With the idea of limitless knowledge-sharing within the community, back in 2018, SOC Prime launched Uncoder.IO, which acted as a fast, private, and easy-to-use online translator for Sigma Rules, maintaining 100% privacy of its users. Seeing the success of Uncoder as the community tool, in November 2023, the SOC Prime Team made Uncoder.IO a fully open-source tool under Apache 2.0 license. As Uncoder has been developed with privacy in mind, the SaaS version of the tool available at https://uncoder.io ensures no cookie tracking, data or code logging, or sharing with third parties. To the community, this means that any experienced security professional or beginner in cyber defense benefits from basic IOC-conversion, content translation, and Sigma & Roota rules creation capabilities.Â
Since the first pre-registration to the Threat Bounty Program in April 2019, SOC Prime has received almost 2,000 applications to join the Program and welcomed over 600 individuals who demonstrated their readiness to contribute to global cyber defense via SOC Prime. Contributing to crowdsourced detection engineering often requires the authors of threat detection rules to venture beyond the familiar realm of professional interests and skills established in the workplace, organization, or even industry and expand their expert competencies and analysis of the global cyber threat landscape.Â
Although aligning the effort of the crowdsourced threat detection engineers with the actual market need is an essential, or even a vital part of the Threat Bounty Program, it is always challenging for the content authors to keep their skills aligned with contemporary demands regarding the complexity of the detections and the ever-changing threat landscape.Â
The program members who have been with the community since the early days remember how easy and effortless it was to get their content published on the SOC Prime Platform. Authors could submit their detection algorithms for a Premium or a Community publication, and this approach provided authors with more flexibility, especially when the detection logic was not complex. However, fostering and promoting the least-effort contributions to the global community is against the Program’s principles.Â
The Threat Bounty Program is a demanding environment that promotes the development of personal talent in the cybersecurity workforce of any organization and cybersecurity vendor. The program enables experts specializing in various technologies to further develop and utilize their applied skills in an ethical and competitive setting with strict requirements for following laws and regulations regarding IP rights and personal data, as well as an understanding of generic Sigma format and deep knowledge of vendor-specific formats.
Moreover, the development and evolution of Uncoder IO and the introduction of IOC conversion to custom hunting queries marked another breakthrough in the transformation of the Threat Bounty Program and content acceptance requirements. In response to the Program evolution, content authors who wanted to earn cash with their own detections had to adapt to the more demanding environment and invest time in developing more complex rules.Â
Rewards
The possibility of monetizing detection rules with SOC Prime’s Threat Bounty Program is undoubtedly an important point to consider for those looking for opportunities to earn additional income from their professional knowledge.Â
The rating-based rewards system is a means of delivering global feedback on detection content, which includes reflecting trends in demand for detection coverage of technologies, specific log sources, behaviors, and tools of particular APT groups.Â
This approach to rewarding content authors was more than helpful in aligning the general recommendations for accepted rules with the actual demand of regular Platform users. For instance, it became clear that a minimum viable detection or a low-level IOC cannot contribute to efficient threat detection as a part of SOC Prime’s offering to the global community.
The rating-based rewards system, along with the established standards for the quality of submissions, enables SOC Prime to award authors who deliver actionable content capable of detecting malicious tools and behaviors in the real-world environments of businesses and governments.Â
Information is KeyÂ
Continuous feedback sharing is essential for maintaining high standards of crowdsourced content development, ensuring ongoing involvement of the cyber community in developing actionable detections, improving content quality, and enhancing credibility among end-users. While we provide authors with feedback on their submitted rules via email, the SOC Prime engineers who verify detections suggested for publication do not extend their feedback to personal professional consultations or coaching. Instead, we encourage the members of the Threat Bounty Program to participate in community-driven discussions, which we believe are more valuable for the Threat Bounty community than individual consultations, as they increase transparency, foster information exchange, and encourage skill development among Threat Bounty authors.Â
To equip Threat Bounty Program members with a community of open learning and knowledge exchange, we’ve introduced a Discord channel that serves as a hub where experienced practitioners generously share their knowledge and insights with eager newcomers to foster peer-driven collaboration, engage in animated discussions, keep up with the latest cybersecurity trends, and advance their hard skills.
What’s New?
Crowdsourced threat detection always comes with unified language, so any security practitioner can benefit from the collective cyber defense. Threat Bounty Program started with Sigma rules at its core, making community contributions portable to many SIEM and EDR languages. Yet, to enable the industry to overcome the limitations of Sigma rules in describing and porting complex behavior-based detections, the SOC Prime team introduced Roota in 2023. Â
With Roota acting as a wrapper, cyber defenders can take a native rule or query and augment it with metadata, with the help of Uncoder AI, translate the code into other SIEM, EDR, and Data Lake languages. Inspired by the success of Yara and Sigma rules, Roota is focused on broader applicability by a larger community of defenders. This means that you can write in Roota with any language you already know and Uncoder will help to translate to other common languages, eliminating a need to learn any new specific or generic query language. The goal is to equip anyone with rule writing experience with better tools at work. This way, not only seasoned Threat Hunters, DFIR and Sigma rules experts, but also SOC Analysts eager to contribute to collective good through Threat Bounty Program now use SOC Prime’s advanced detection engineering suite with Uncoder at its heart. SOC Prime is now providing our Threat Bounty members a private AI that does not leak their code, supports Detection Rule Licensing adherence, and makes sure that author rights for IP are not lost in translation, all on top of a private developer environment which is not scrapped by generative AI, a personal repo to store their detections in a cloud SOC 2 Type II environment, and multiple IDE-like features, including code autocompletion, MITRE ATT&CK tagging, QA, fixes, and an embedded workflow for code review and usage.
The new era of SOC Prime’s crowdsourced detection engineering program unifies all our community initiatives, creating an easy-to-use, all-in-one workflow designed to unleash personal talent, enhance detection engineering and threat-hunting skills, and expand technology expertise. The Threat Bounty Program provides a secure, ethical, and competitive setting for participants to contribute to cyber defense while gaining recognition and tangible benefits for their efforts.