Opening up your code to hackers, asking them to give it their best shot and offering rewards as high as $100k if they get back to you with a particularly scary breach might have sounded like a very bizarre course of action a few years ago. In today’s hectic and under-staffed cyber-security market it seems like more and more companies are signing up for this service.
Lately, the software security world has been abuzz about bug bounty programs. All the cool kids are doing it: Google, Facebook, Mozilla and Apple – to name a few, and hackers are lining up to pocket those fat rewards.
We recently talked about white hat hackers, their motivation and relationship with the open source community, but bug bounty programs are rapidly progressing from a community trend to a recommended component of enterprise cyber-security practices.
Bug bounties are also known as responsible disclosure programs. Organizations initiate them to encourage security professionals to test their products and discover bugs and vulnerabilities. Successful bug bounty hunters can be rewarded with money, swag, or honorable mention.
Security researchers have a lot to gain from participating in bug bounty projects: in addition to providing an opportunity to practice and perfect their skills and get recognized in the professional community, they could also earn quite a hefty reward.
If You Can’t Beat Them, Join Them: Why Bug Bounty Programs Work
Google – one of the first big names to crowdsource cyber-security research nearly seven years ago, has been consistently raising the rewards for quality findings: reportedly paying a total of $3 million dollars in 2016. As cyber-attacks get more sophisticated and advanced, more organizations are beginning to welcome the hackers into their products. Experts list five good reasons for organizations to join the bug bounty game:
1. The more eyes the better: by opening the program to the cyber-security research community, companies get more working hands than they could ever hire – and they only need to pay for the wins.
2. In the race to go live, no product is completely secure. Companies that accept that no DevOps lifecycle can eliminate all vulnerabilities, need to add more precautions for protection, as efficiently as possible. Bug bounty programs add another resource for finding those vulnerabilities.
3. Exploits and breaches cost much more: a security breach can cost a company both their reputation and a lot of money. Bug bounty programs are a small price to pay for the added security.
4. Bug bounty hunters know what they’re doing: with big players like Google, Facebook, PayPal and Intel already in the game, bug bounty hackers are professionals that know their craft and best practices – at this point, it’s an easy program for companies to manage.
Getting it Right
Bug bounty is shaping up to be more than a passing trend. With security vulnerabilities and breaches making headlines day after day, application security is on everyone’s mind. A recent hackerone report showed that organizations of all industries and verticals are adopting bug bounty programs: in 2016, nearly half of the bug bounty programs launched were in organizations outside the tech industry. However, much like open source software security, working with a community of professionals also presents organizations with challenges, requiring expertise and best practices.
Tech professionals with experience running a bug bounty program offer up these tips for leveraging bug bounty:
1. Beware of the backlog: following a new bug bounty program or a rise in rewards, submissions will spike. Organizations need to be prepared to handle and address all the new issues. If they don’t, they risk losing good hackers and late response to risks.
2. Communication is key: responding to researchers clearly, within an acceptable timeframe is important. A submission can turn out to be a duplicate, or simply un-reproducible. When organizations set up a program, they need to cover all scenarios to continue to leverage submissions and keep their bounty hunter community involved.
3. Stay competitive: everyone was excited when Apple launched its first bug bounty program for iPhone. But it turns out that the reward didn’t stand up to grey-market competition, and that white hat hackers who spent valuable time researching iPhone security weren’t happy with Apple’s compensation, and weren’t submitting their findings to Apple. It’s important to know the bug bounty landscape going into a project.
Just like every other cyber-security project and process, organizations need to make sure they stay ahead of the game. The security landscape is continuously evolving, and companies that want to leverage the wisdom of the bug bounty crowds need to make sure that they run their bug bounty program the same way they manage other security management projects and tools. It’s important to learn the best practices in the industry, stay close to the community of experts, and continue to manage it to achieve maximum security while keeping your company’s products and services innovative and risk-free.