Product vulnerability search, mitigation, and revelation continues to evolve and many companies are considering the adoption of “bug bounties” to augment their internal research and development teams. The realization that a vulnerability undetected will have a deleterious effect on the company brand and potentially place their customers, partners, and clients at risk.

Popular Bug Bounty Programs

Bugcrowd, a prominent bug bounty program host, has identified “four key attributes” which are “used to assess, select, and evaluate individual researcher’s performance.”

These four attributes are:

QUALITY
How often submissions are accepted as “valid” by a program owner – researchers must maintain an acceptance rate of 50% or higher.

ACTIVITY
Frequency of a researcher’s submissions – only considered active if a submission has been made within the last 90 days.

IMPACT
Criticality and impact of vulnerability submissions, measured between 1.0 (critical) and 5.0 (low) – minimum priority rate of 3.99 required.

TRUST
Maintaining a track record of staying inside scope of a bounty brief, following terms, and honoring all nondisclosure requirements.

Bugcrowd’s intent is to demystify the community and take a whack at destroying the stigma that those involved in testing and identifying vulnerabilities in products are themselves sitting with a foot in both the white and black hat worlds. Their transparent approach does just that.

HackerOne is another prominent bug bounty program. In a recent interview with Dark Reading, HackerOne’s CEO, Marten Mickos, highlights how security can never be 100 percent perfect, “but bug bounty programs are the most powerful way of preventing cyber crime.” He notes how the use of platforms, like HackerOne, continues to evolve as companies continue to evolve ways to identify vulnerabilities in the attendant disclosure. 

Katie Moussouris, CEO of Luta Security, notes how “bug bounties are applicable in certain (Read more...)