{"id":1182,"date":"2024-12-11T06:00:00","date_gmt":"2024-12-11T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1182"},"modified":"2024-12-11T06:00:00","modified_gmt":"2024-12-11T06:00:00","slug":"bug-bounty-programs-can-deliver-significant-benefits-but-only-if-youre-ready","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1182","title":{"rendered":"Bug bounty programs can deliver significant benefits, but only if you\u2019re ready"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Bug bounty programs, which offer financial incentives to outside security researchers to find software vulnerabilities, seem like a 21st-century phenomenon, but according to bug bounty platform provider HackerOne, the first bug bounty program dates back<\/a> to 1983. \u00a0<\/p>\n

That year, a company called Hunter & Ready offered $1,000 to those who found \u201cerrors\u201d in its chip-based Versatile Real-Time Executive (VRTX) operating system. Since then, the bug bounty market has become an industry generating $1.5 billion in annual revenue, according to one estimate<\/a>, with individual bug bounty payouts topping out in the hundreds of thousands<\/a>, and even millions<\/a>, of dollars.<\/p>\n

Over the last several years, part of the growth in bug bounties<\/a> can be attributed to the Cybersecurity and Infrastructure Security Agency\u2019s (CISA) Secure-by-Design<\/a> initiative. Although CISA\u2019s Secure-by-Design effort calls for organizations to create a vulnerability disclosure program (VDP), which experts consider a necessary precursor to establishing a bug bounty program, many organizations<\/a> have<\/a> launched<\/a> bug bounty programs to demonstrate what they say is a deepening of their commitment to CISA\u2019s Secure-by-Design pledge<\/a>.<\/p>\n

Bug bounties \u201ccreate more eyes on target,\u201d Casey Ellis, founder, chairman, and CTO of Bugcrowd, tells CSO. \u201cWhen you think about what our job is as defenders, the whole reason we\u2019re here is that there\u2019s this crowd of creative adversaries that has lots of different skill sets, lots of different motivations, lots of different incentives, and if you\u2019re trying to outsmart all of that, our job is to beat them to the punch. We need to preempt their creativity and find ways to create impact and then mitigate that.\u201d<\/p>\n

How bug bounty programs are structured<\/h2>\n

Bug bounty programs are relatively straightforward propositions. They exist when organizations establish public or private reward programs to encourage external cybersecurity researchers to report discovered vulnerabilities.<\/p>\n

\u201cIt\u2019s a vulnerability disclosure program where you\u2019ve elected to incentivize and reward the people that find and report a unique issue with some sort of cash reward or reward with a financial equivalent,\u201d Ellis says. \u201cIt can be Bitcoin. It can be anything that can be exchanged for cash. And generally, it works by paying a bug bounty to a finder based on them being the first to find a unique issue.\u201d<\/p>\n

Some organizations can get creative when extending rewards to researchers, particularly when cash is not abundant or top management frowns on spending significant sums on outsiders. \u201cIt could be financial,\u201d Josh Jacobson, director of professional services at HackerOne, tells CSO. \u201cOr there could be some swag that blurs the lines a little bit. The first program that I ran for United Airlines paid out in miles. We paid out one million miles for a critical vulnerability, which was extremely popular. So, it doesn\u2019t have to be just dollars and cents.\u201d<\/p>\n

Jacobson advises organizations to get creative if their budgets are constrained. \u201cIt\u2019s helpful if you lean into what your organization has, especially when awarding a lot of money. CFOs start to get a little nervous sometimes.\u201d<\/p>\n

Wade Lance, field CISO at Synack, tells CSO: \u201cResponsible organizations are looking for ways to discover vulnerabilities economically. So, you do your internal pen testing, but then externally, you say, \u2018Hey, rather than just finding out by getting attacked, I\u2019d much rather have a bug bounty program. And if someone out there discovers a vulnerability, I\u2019d be happy to slide just some money to pay for your time and effort.\u2019 It leverages community-based testing, which is super valuable.\u201d<\/p>\n

The benefits of a bug bounty program<\/h2>\n

The most significant benefit of a bug bounty program is finding vulnerabilities an organization might not have otherwise discovered. \u201cA bug bounty program gives you another avenue of identifying vulnerabilities that you\u2019re not finding through other processes,\u201d such as internal vulnerability scans, Stefanie Bartak, associate director of the vulnerability management team at NCC Group, tells CSO.<\/p>\n

Establishing a bug bounty program signals to the broader security research community that an organization is serious about fixing bugs. \u201cFor an enterprise, it\u2019s a really good way for researchers, or anyone, to be able to contact them and report something that may not be right in their security,\u201d Louis Nyffenegger, CEO of PentesterLab, tells CSO.<\/p>\n

Moreover, a bug bounty program will offer an organization a wider array of talent to bring perspectives that in-house personnel don\u2019t have. \u201cYou get access to a large community of diverse thinkers, which help you find vulnerabilities you may otherwise not get good access to,\u201d Synack\u2019s Lance says. \u201cThat diversity of thought can\u2019t be underestimated. Diversity of thought and diversity of researchers is a big benefit. You get a more hardened environment because you get better or additional testing in some cases.\u201d<\/p>\n

Finally, a bug bounty program adds credibility to an organization\u2019s overall security efforts. \u201cThere\u2019s a public relations value in a bug bounty program,\u201d says Lance. \u201cWhat we\u2019re seeing from the regulators and seeing from the markets is they expect you to have VDP and bug bounty programs. If you have no bug bounty, no VDP, people will wonder what else your organization doesn\u2019t have when it comes to cybersecurity.\u201d<\/p>\n

Bug bounty programs are not for everyone<\/h3>\n

Although bug bounty programs can deliver significant cybersecurity and reputational benefits, experts caution that they\u2019re not for every organization and require substantial preparation to pull off. \u201cI don\u2019t think it\u2019s appropriate for every organization to run a public bug bounty program,\u201d Bugcrowd\u2019s Ellis says.<\/p>\n

\u201cI think it\u2019s important and necessary for every organization to have a vulnerability disclosure program. You can\u2019t control when someone might find a vulnerability in your stuff. When that happens, you need to be able to receive that information and the person who finds it needs to know that they\u2019re safe telling you. That\u2019s for everyone.\u201d But, Ellis adds, \u201cto incentivize that with a public bug bounty program, not every company is equipped to do that.\u201d<\/p>\n

Ellis distinguishes between public bug bounty programs and private programs that are only open to select security researchers. \u201cEveryone can benefit from a private bug bounty program because everyone\u2019s having trouble accessing talent. Pretty much any organization ready to fix its issues can engage that model in a private context. The difference being that when you run a public bug branding program, it\u2019s literally the entire internet trying to help, versus when it\u2019s a private program, you\u2019ve got a narrow group of people. It\u2019s more controlled. It\u2019s less likely to overwhelm the organization on the receiving end.\u201d<\/p>\n

The risks of launching a bug bounty program<\/h2>\n

Most experts think overwhelming the organization is the chief risk organizations should consider when contemplating a public bug bounty program, which is why so many organizations opt to hire outside bug bounty platform firms to help manage that process.<\/p>\n

\u201cOne of the things going into bug bounty and VDP is that people don\u2019t understand the workload and the risk,\u201d Lance says. \u201cYou have to have people ready to look through these submissions and decide if this is a vulnerability and whether or not it is exploitable. And then, if it\u2019s in a bug bounty, you have to decide what the payout\u2019s worth is, and you have to negotiate that with the researcher.\u201d<\/p>\n

Getting prepped for this work requires staff capable of discerning vulnerabilities and whether they\u2019re exploitable and, if so, mitigating those bugs. It also requires establishing a budget big enough to pay out respectable bounties. Lance says, \u201cWhat I would say is there\u2019s no free lunch, and good things have costs associated with them, which are not just the dollars but also the effort.\u201d<\/p>\n

On top of all that, organizations must vet the security researchers submitting bug reports. \u201cYou can wind up on the US terror watch list because you\u2019re paying a terrorist, a known terrorist. If you pay a bounty to a person unbeknownst to you who is a member of a known terrorist organization, you\u2019re financing terrorism,\u201d Lance says.<\/p>\n

Regarding budgeting, bug bounty newcomers can easily run out of money if they set the prices too high and receive more submissions than expected. \u201cI highly recommend that if you\u2019re new to a bug bounty program, and it\u2019s something you\u2019re looking at doing, you really understand the budget and how much it would potentially cost,\u201d NCC Group\u2019s Bartok says.<\/p>\n

Bug bounty programs are also not for organizations backlogged in identifying and eliminating vulnerabilities they\u2019ve discovered using in-house resources. \u201cIf you can\u2019t fix issues in the next six months, if you can\u2019t handle the workload, or if you need to close a bounty program after two months because you\u2019ve run out of money and you don\u2019t know how to handle it because it\u2019s too much for you, it\u2019s not a good look,\u201d Pentester Lab\u2019s Nyffenegger says.<\/p>\n

Don\u2019t launch a bug bounty program until you\u2019re ready<\/h2>\n

Experts agree that most prominent technology companies already have bug bounty programs. They also say that most companies with substantial internet-facing assets don\u2019t have bug bounty programs but should seriously explore launching them.<\/p>\n

Regarding the 50,000 or 60,000 organizations with VDP programs that Bugcrowd tracks, \u201cI would say that maybe 5% of those run a public bug bounty program,\u201d Ellis says.<\/p>\n

Although Lance is uncertain, he hazards a guess that maybe one-third of organizations that should have them do have bug bounty programs. Whatever the ratio, \u201cthere\u2019s a lot of growth to happen in this space,\u201d he says.<\/p>\n

However, they caution that only organizations with well-oiled security programs should consider launching bug bounty programs. You need to be \u201cvery, very mature,\u201d Jacobson says. \u201cYou\u2019ve gone through all your testing methodologies. You\u2019ve proven that you can remediate your vulnerabilities. You fix all your scanner vulnerabilities. You fix all your pen test vulnerabilities.\u201d<\/p>\n

Launching a bug bounty program when you\u2019re not ready could be a disaster. \u201cI saw a few programs closing down after a few months because they were overwhelmed,\u201d Nyffenegger says. \u201cThe problem is they shut down because they ran out of money or time or it was too much for them. But they still had open reports, and many researchers spent a lot of time working to find those vulnerabilities, and they expected a reward. And those people got very angry but couldn\u2019t disclose it officially because they agreed to the bug platform confidentiality terms.\u201d<\/p>\n

Experts also caution that bug bounty programs aren\u2019t a reason to back off existing security efforts. \u201cOne thing that I\u2019ve seen in my past is that bounty programs are expected to be this kind of panacea, and this is going to solve all of my testing problems,\u201d Jacobson says. \u201cOrganizations will say, \u2018We\u2019re getting a lot of great vulnerabilities, things that we\u2019ve never seen before. Can we get rid of our scanners?’\u201d<\/p>\n

That is just \u201ca penny-wise, pound-foolish thing,\u201d says Jacobson. \u201cI want to ensure that CISOs and security organizations aren\u2019t trying to gut anything.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Bug bounty programs, which offer financial incentives to outside security researchers to find software vulnerabilities, seem like a 21st-century phenomenon, but according to bug bounty platform provider HackerOne, the first bug bounty program dates back to 1983. \u00a0 That year, a company called Hunter & Ready offered $1,000 to those who found \u201cerrors\u201d in its […]<\/p>\n","protected":false},"author":0,"featured_media":1171,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1182","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1182"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1182"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1182\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1171"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1182"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1182"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1182"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}