There are many reasons why a company may want to implement a bug bounty program. Most prominently is that no matter how good an organization’s software testing is, how proficiently developers code security, or how thorough an organization’s software security tests – there will always be flaws. These flaws make it possible for attackers to exploit security vulnerabilities and bypass security defenses.
What is bug bounty?
Security flaws in software leave them open for attackers to exploit vulnerabilities and bypass security defenses. This is where the Bug Bounty programs come in. A bug bounty program is when an organization will pay a ransom to third-party security researchers when they find software security flaws that meet certain conditions in the software or on their sites, apps, or services.
There are many purported benefits to these programs, such as the identification and fix of more vulnerabilities, and a more secure infrastructure fixed. But there are also many challenges and drawbacks that must be taken into consideration.
Who implements the bug bounty program?
Large companies—such as Facebook, Google, Samsung Smart TV Security Bounty Program, and Mozilla—that offer bug bounties and others have the large technical and financial resources necessary to run their own programs. With their intricate web or development environments, these large companies’ bug bounty programs provide an additional way to find software and configuration errors that slip past developers, testers, and security teams. And organizations of this size often have the ability to manage the bug bounty program, from setting the fees to the analysis of the bugs uncovered, to communications with security researchers.
For midsized and smaller organizations, however, it makes sense to turn to bug bounty service providers. The bug bounty vendor can run the recruiting, vetting, and managing of security researchers for smaller enterprises, as well as the analysis of bug findings and payment management. For smaller firms who don’t have the expertise and full staff on hand required to run their own bug bounty programs, it’s an affordable and more manageable way to find bugs that could slip past their automated scans.
Some companies like to run continuous bug bounty programs so that whenever a researcher finds a bug they will be paid if it is a flaw that deserves payment. Other programs run for limited periods of time and within these deadline researchers are given an extent to which to explore for flaws.
What are the advantages?
While the idea of Bug Bounty programs is pretty similar to traditional penetration, however, the approach is the polar opposite. If you were to compare it to writing, then think of bug bounty as a competition where a lot of writers come together to compete against each other and then the writers with the best essays win the prize.
The advantages are as follows:
The aggregate cost of setting up Bug Bounty is significantly cheaper than hiring individual experts to conduct cybersecurity audits and penetration tests. Bug bounty hunters get paid in a result-oriented model. This is the reason why the quality of the bugs that the hunters find are usually of much higher quality, i.e., the kind of bugs that most smart hackers will exploit.
Continuous testing for strength
Specialists with different levels of knowledge, tools and from various time zones will attack your company’s resources in 24/7 mode. Eventually, by attracting a high number of participants, you ensure the exceptional coverage of your product testing. Except for moderate Sign-up fees, a customer pays only for original bugs detected. If there is no bug, a company won’t spend all that much. Since there are so many testers coming from a lot of different fields, the testing scenarios, and vulnerability checks tends to be very diverse and sophisticated as well.
Finding Vulnerable Areas.
When ethical hacker finishes analysis of a company’s system, they provide a clear and complete report on the system’s vulnerable areas. It can be a lack of sufficient password encryption, or an employee, who gives out passwords to unauthorized persons. In this way, the company’s leadership can implement more secure procedures to prevent malefactors from penetrating computer networks as well as to avoid different mistakes made by the staff.
Another significant advantage of having ethical hackers on a reward program is to test a company’s security measures. These professionals quite easily help the company determine if the computer security measures are effective enough, which measures have to be updated, and which ones are absolutely inefficient for preventing intrusions into the system.
How to become a bounty hunter?
- Do your homework, learn about networks and programming
- Submit valuable and easy-to-understand bugs
- Earn and show respect
- Paired practice
Bounty program cases
Microsoft and Facebook partnered in 2013 for providing financial support to The Internet Bug Bounty – a program designed to offer rewards for reporting hacks and bugs for a wide range of software. The software covered by the program includes Adobe Flash, Nginx, Ruby PHP, Ruby on Rails, OpenSSL, Python, Perl Apache HTTP Server, Django, and Phabricator. This program assisted in harnessing the collective intelligence of the security researchers to help protect valuable customer data.
In 2016, the US Department of Defence announced its bug bounty program known as the ‘Hack the Pentagon’ program. The program targeted public-facing websites and had paired up with HackerOne – a Silicon Valley-based firm that advised, operated and executed the program. The program ran for a duration of 25 days and saw 1410 hackers submitting 138 legitimate reports. HackerOne promptly paid $75,000 as rewards to the researchers.
While the use of ethical hackers to find bugs can be very effective and organizations have been benefited from such bug bounty programs, such programs can also be controversial. Hackers can pose a threat of exposing the vulnerability to the world if the developer organization fails to respond promptly. Also, such a program cannot completely eliminate the need for research and inspection processes.
To limit this potential risk, some organizations are offering closed bug bounty programs that require an invitation. For example, Apple has limited bug bounty participation to few researchers. Another option is to make use of third-party platforms.
Bug bounty sponsors have found a way to make all the searching and failing time cost-free to the software companies. Though they are in essence an extension of security testing programs and are time-saving and relatively cost-effective, companies should ensure effective implementation of such programs.