The Efficacy of Bug Bounties

Product vulnerability search, mitigation, and revelation continues to evolve and many companies are considering the adoption of “bug bounties” to augment their internal research and development teams. The realization that a vulnerability undetected will have a deleterious effect on the company brand and potentially place their customers, partners, and clients at risk.

Popular Bug Bounty Programs

Bugcrowd, a prominent bug bounty program host, has identified “four key attributes” which are “used to assess, select, and evaluate individual researcher’s performance.”

These four attributes are:

How often submissions are accepted as “valid” by a program owner – researchers must maintain an acceptance rate of 50% or higher.

Frequency of a researcher’s submissions – only considered active if a submission has been made within the last 90 days.

Criticality and impact of vulnerability submissions, measured between 1.0 (critical) and 5.0 (low) – minimum priority rate of 3.99 required.

Maintaining a track record of staying inside scope of a bounty brief, following terms, and honoring all nondisclosure requirements.

Bugcrowd’s intent is to demystify the community and take a whack at destroying the stigma that those involved in testing and identifying vulnerabilities in products are themselves sitting with a foot in both the white and black hat worlds. Their transparent approach does just that.

HackerOne is another prominent bug bounty program. In a recent interview with Dark Reading, HackerOne’s CEO, Marten Mickos, highlights how security can never be 100 percent perfect, “but bug bounty programs are the most powerful way of preventing cyber crime.” He notes how the use of platforms, like HackerOne, continues to evolve as companies continue to evolve ways to identify vulnerabilities in the attendant disclosure. 

Katie Moussouris, CEO of Luta Security, notes how “bug bounties are applicable in certain (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Christopher Burgess. Read the original post at: Cylance Blog

Christopher Burgess

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

christopher-burgess has 21 posts and counting.See all posts by christopher-burgess