There are many reasons why a company may want to implement a bug bounty program. Most prominently is that no matter how good an organization’s software testing is, how proficiently developers code security, or how thorough an organization’s software security tests – there will always be flaws. These flaws make it possible for attackers to exploit security vulnerabilities and bypass security defenses.
Security flaws in software leave them open for attackers to exploit vulnerabilities and bypass security defenses. This is where the Bug Bounty programs come in. A bug bounty program is when an organization will pay a ransom to third-party security researchers when they find software security flaws that meet certain conditions in the software or on their sites, apps, or services.
There are many purported benefits to these programs, such as the identification and fix of more vulnerabilities, and a more secure infrastructure fixed. But there are also many challenges and drawbacks that must be taken into consideration.
Large companies—such as Facebook, Google, Samsung Smart TV Security Bounty Program, and Mozilla—that offer bug bounties and others have large technical and financial resources necessary to run their own programs. With their intricate web or development environments, these large companies’ bug bounty programs provide an additional way to find software and configuration errors that slip past developers, testers, and security teams. And organizations of this size often have the ability to manage the big bounty program, from setting the fees to the analysis of the bugs uncovered, to communications with security researchers.
For midsized and smaller organizations, however, it makes sense to turn to a bug bounty service providers. The bug bounty vendor can run the recruiting, vetting, and managing of security researchers for smaller enterprises, as well as the analysis of bug findings and payment management. For smaller firms who don’t have the expertise and full staff on hand required to run their own bug bounty programs, it’s an affordable and more manageable way to find bugs that could slip past their automated scans.
Some companies like to run continuous bug bounty programs so that whenever a researcher finds a bug they will be paid if it is a flaw that deserves payment. Other programs run for limited periods of time and within these deadline researchers are given an extent in which to explore for flaws.
While the idea of Bug Bounty programs is pretty similar to traditional penetration, however, the approach of it is the polar opposite. If you were to compare it to writing, then think of bug bounty as a competition where a lot of writers come together to compete against each other and then the writers with the best essays win the price.
The advantages are as follows:
Microsoft and Facebook partnered in 2013 for providing financial support to The Internet Bug Bounty – a program designed to offer rewards for reporting hacks and bugs for a wide range of software. The softwares covered by the program include Adobe Flash, Nginx, Ruby PHP, Ruby on Rails, OpenSSL, Python, Perl Apache HTTP Server, Django, and Phabricator. This program assisted in harnessing the collective intelligence of the security researchers to help protect valuable customer data.
In 2016, US Department of Defence announced its bug bounty program known as the ‘Hack the Pentagon’ program. The program targeted public-facing websites and had paired up with HackerOne – a Silicon Valley-based firm who advised, operated and executed the program. The program ran for a duration of 25 days and saw 1410 hackers submitting 138 legitimate reports. HackerOne promptly paid $75,000 as rewards to the researchers.
While the use of ethical hackers to find bugs can be very effective and organizations have been benefited with such bug bounty programs, such programs can also be controversial. Hackers can pose a threat of exposing the vulnerability to the world if the developer organization fails to respond promptly. Also, such a program cannot completely eliminate the need for research and inspection processes.
To limit this potential risk, some organizations are offering closed bug bounty programs that require an invitation. For example, Apple has limited bug bounty participation to few researchers. Another option is to make use of third-party platforms.
Bug bounty sponsors have found a way to make all the searching and failing time cost-free to the software companies. Though they are in essence an extension of security testing programs and are time-saving and relatively cost-effective, companies should ensure effective implementation of such programs.
Join Us for a Real Time Career Guidance…