Does Your Bug Bounty Program Need an Overhaul?

They’ve become mainstream, but bug bounty programs are vast, varied and complicated

When bugs proliferate, there’s potential for an infestation problem that needs to be fumigated. Over the past few years, bug bounty programs have become a popular solution for getting rid of nasty vulnerabilities before they create more widespread problems.

Bug bounty programs have become so mainstream that it’s common to see companies such as Apple pay out $200,000 in bounty for security issues affecting its firmware. “More mature organizations might be able to run a fully public program, with a very wide scope, paying competitive bounties like those of Twitter, Riot Games or Snapchat,” said Adam Bacchus, director of program operations at HackerOne. But ethical researchers aren’t always interested in the monetary reward.

Certainly, the high dollar value that many organizations are paying out these days is hugely attractive, yet security researcher Dylan Houlihan wasn’t looking for compensation when he alerted Panera Bread of a vulnerability on its website. Careful not to be “overly secure,” Panera did nothing with this information—proof that not all security teams are created equal when you look at resources, attack surface and engineering’s availability to fix known security issues.

Finding the Right Fit

“For this reason,” said Bacchus, “bug bounty programs are never one-size-fits-all. Based on a combination of these factors, some organizations might only be ready for a private program with no bounties, a handful of hackers and one or two assets in scope.”

A bug bounty program grows more competitive when security teams are responsive to participating hackers. Bacchus said that maintaining transparency in what teams are looking for, keeping the scope and volume of incoming reports manageable for the internal teams and offering competitive bounty awards that are aligned with industry standards are additional indications of a successful program.

Yet, there are complexities around the whole concept of bug bounties and vulnerability disclosure that simmer beneath the sexy stories of how much organizations are willing to pay researchers to find bugs. It’s come to be that when people think about bug bounty programs, “They immediately think of a public program with rewards,” said Casey Ellis, CTO of Bugcrowd.

Many researchers aren’t looking to get their name in the headlines, though. “A hacker’s gonna hack,” said Ellis, and there are good guys who are disclosing vulnerabilities they find because they want to keep the internet safe. That’s where crowdsourcing becomes a means of optimization for the future of these programs.

For the internet to be safe, enterprises need to first focus on security. “Bug bounties are great,” said Dr. Srinivas Mukkamala, co-founder and CEO of RiskSense, “but it’s about having a proper security program first.”

When structuring or reforming an existing bug bounty program, Mukkamala said the first questions you need to ask are, What are we looking for? and, What are we trying to test? Because, he noted, “If you are not testing, somebody else is testing it for you. Your tool is out there and you need to expect people to poke at it.”

Crawl, Walk, Run

As with most things that aren’t well-planned, if a program is created without a lot of thought, there are likely going to be some pitfalls. “I’ve seen many cases where someone decided they need a public bug bounty program, so they spun one up, but that doesn’t tend to end that great. DJI is a pretty good example,” Ellis said.

Most organizations begin privately and then dial up over time, increasing their incentives or rewards. “It’s important to start small and scale up,” Bacchus said. “This is true for the number of participating hackers, what’s in scope and, if you’re paying bounties, your standard bounty amounts based on severity.”

Reaching out for help is critical to the process, so don’t underestimate the importance of partnership and seeking expert help from the hacker community. Whether it’s through peers or platforms, Ellis said, “Make sure that help is coming from places of experience. Beware of those who lack experience but have strong opinions of how things should and shouldn’t operate.”

The goal of bug bounty programs is to keep the internet safe. To mitigate the risks of what is on the internet today, both the legal and compliance frameworks have to be reformed or adjusted so that bug bounty programs can be an enabler for researchers to proactively find those vulnerabilities. Proper planning, being thoughtful and engaging with the community are musts when it comes to implementing an effective program.

Kacy Zurkus

Avatar photo

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus