Bug bounty programs can deliver significant benefits, but only if you’re ready – Source: www.csoonline.com

Bug bounty programs, which offer financial incentives to outside security researchers to find software vulnerabilities, seem like a 21st-century phenomenon, but according to bug bounty platform provider HackerOne, the first bug bounty program dates back to 1983.  

That year, a company called Hunter & Ready offered $1,000 to those who found “errors” in its chip-based Versatile Real-Time Executive (VRTX) operating system. Since then, the bug bounty market has become an industry generating $1.5 billion in annual revenue, according to one estimate, with individual bug bounty payouts topping out in the hundreds of thousands, and even millions, of dollars.

Over the last several years, part of the growth in bug bounties can be attributed to the Cybersecurity and Infrastructure Security Agency’s (CISA) Secure-by-Design initiative. Although CISA’s Secure-by-Design effort calls for organizations to create a vulnerability disclosure program (VDP), which experts consider a necessary precursor to establishing a bug bounty program, many organizations have launched bug bounty programs to demonstrate what they say is a deepening of their commitment to CISA’s Secure-by-Design pledge.

Bug bounties “create more eyes on target,” Casey Ellis, founder, chairman, and CTO of Bugcrowd, tells CSO. “When you think about what our job is as defenders, the whole reason we’re here is that there’s this crowd of creative adversaries that has lots of different skill sets, lots of different motivations, lots of different incentives, and if you’re trying to outsmart all of that, our job is to beat them to the punch. We need to preempt their creativity and find ways to create impact and then mitigate that.”

How bug bounty programs are structured

Bug bounty programs are relatively straightforward propositions. They exist when organizations establish public or private reward programs to encourage external cybersecurity researchers to report discovered vulnerabilities.

“It’s a vulnerability disclosure program where you’ve elected to incentivize and reward the people that find and report a unique issue with some sort of cash reward or reward with a financial equivalent,” Ellis says. “It can be Bitcoin. It can be anything that can be exchanged for cash. And generally, it works by paying a bug bounty to a finder based on them being the first to find a unique issue.”

Some organizations can get creative when extending rewards to researchers, particularly when cash is not abundant or top management frowns on spending significant sums on outsiders. “It could be financial,” Josh Jacobson, director of professional services at HackerOne, tells CSO. “Or there could be some swag that blurs the lines a little bit. The first program that I ran for United Airlines paid out in miles. We paid out one million miles for a critical vulnerability, which was extremely popular. So, it doesn’t have to be just dollars and cents.”

Jacobson advises organizations to get creative if their budgets are constrained. “It’s helpful if you lean into what your organization has, especially when awarding a lot of money. CFOs start to get a little nervous sometimes.”

Wade Lance, field CISO at Synack, tells CSO: “Responsible organizations are looking for ways to discover vulnerabilities economically. So, you do your internal pen testing, but then externally, you say, ‘Hey, rather than just finding out by getting attacked, I’d much rather have a bug bounty program. And if someone out there discovers a vulnerability, I’d be happy to slide just some money to pay for your time and effort.’ It leverages community-based testing, which is super valuable.”

The benefits of a bug bounty program

The most significant benefit of a bug bounty program is finding vulnerabilities an organization might not have otherwise discovered. “A bug bounty program gives you another avenue of identifying vulnerabilities that you’re not finding through other processes,” such as internal vulnerability scans, Stefanie Bartak, associate director of the vulnerability management team at NCC Group, tells CSO.

Establishing a bug bounty program signals to the broader security research community that an organization is serious about fixing bugs. “For an enterprise, it’s a really good way for researchers, or anyone, to be able to contact them and report something that may not be right in their security,” Louis Nyffenegger, CEO of PentesterLab, tells CSO.

Moreover, a bug bounty program will offer an organization a wider array of talent to bring perspectives that in-house personnel don’t have. “You get access to a large community of diverse thinkers, which help you find vulnerabilities you may otherwise not get good access to,” Synack’s Lance says. “That diversity of thought can’t be underestimated. Diversity of thought and diversity of researchers is a big benefit. You get a more hardened environment because you get better or additional testing in some cases.”

Finally, a bug bounty program adds credibility to an organization’s overall security efforts. “There’s a public relations value in a bug bounty program,” says Lance. “What we’re seeing from the regulators and seeing from the markets is they expect you to have VDP and bug bounty programs. If you have no bug bounty, no VDP, people will wonder what else your organization doesn’t have when it comes to cybersecurity.”

Bug bounty programs are not for everyone

Although bug bounty programs can deliver significant cybersecurity and reputational benefits, experts caution that they’re not for every organization and require substantial preparation to pull off. “I don’t think it’s appropriate for every organization to run a public bug bounty program,” Bugcrowd’s Ellis says.

“I think it’s important and necessary for every organization to have a vulnerability disclosure program. You can’t control when someone might find a vulnerability in your stuff. When that happens, you need to be able to receive that information and the person who finds it needs to know that they’re safe telling you. That’s for everyone.” But, Ellis adds, “to incentivize that with a public bug bounty program, not every company is equipped to do that.”

Ellis distinguishes between public bug bounty programs and private programs that are only open to select security researchers. “Everyone can benefit from a private bug bounty program because everyone’s having trouble accessing talent. Pretty much any organization ready to fix its issues can engage that model in a private context. The difference being that when you run a public bug branding program, it’s literally the entire internet trying to help, versus when it’s a private program, you’ve got a narrow group of people. It’s more controlled. It’s less likely to overwhelm the organization on the receiving end.”

The risks of launching a bug bounty program

Most experts think overwhelming the organization is the chief risk organizations should consider when contemplating a public bug bounty program, which is why so many organizations opt to hire outside bug bounty platform firms to help manage that process.

“One of the things going into bug bounty and VDP is that people don’t understand the workload and the risk,” Lance says. “You have to have people ready to look through these submissions and decide if this is a vulnerability and whether or not it is exploitable. And then, if it’s in a bug bounty, you have to decide what the payout’s worth is, and you have to negotiate that with the researcher.”

Getting prepped for this work requires staff capable of discerning vulnerabilities and whether they’re exploitable and, if so, mitigating those bugs. It also requires establishing a budget big enough to pay out respectable bounties. Lance says, “What I would say is there’s no free lunch, and good things have costs associated with them, which are not just the dollars but also the effort.”

On top of all that, organizations must vet the security researchers submitting bug reports. “You can wind up on the US terror watch list because you’re paying a terrorist, a known terrorist. If you pay a bounty to a person unbeknownst to you who is a member of a known terrorist organization, you’re financing terrorism,” Lance says.

Regarding budgeting, bug bounty newcomers can easily run out of money if they set the prices too high and receive more submissions than expected. “I highly recommend that if you’re new to a bug bounty program, and it’s something you’re looking at doing, you really understand the budget and how much it would potentially cost,” NCC Group’s Bartok says.

Bug bounty programs are also not for organizations backlogged in identifying and eliminating vulnerabilities they’ve discovered using in-house resources. “If you can’t fix issues in the next six months, if you can’t handle the workload, or if you need to close a bounty program after two months because you’ve run out of money and you don’t know how to handle it because it’s too much for you, it’s not a good look,” Pentester Lab’s Nyffenegger says.

Don’t launch a bug bounty program until you’re ready

Experts agree that most prominent technology companies already have bug bounty programs. They also say that most companies with substantial internet-facing assets don’t have bug bounty programs but should seriously explore launching them.

Regarding the 50,000 or 60,000 organizations with VDP programs that Bugcrowd tracks, “I would say that maybe 5% of those run a public bug bounty program,” Ellis says.

Although Lance is uncertain, he hazards a guess that maybe one-third of organizations that should have them do have bug bounty programs. Whatever the ratio, “there’s a lot of growth to happen in this space,” he says.

However, they caution that only organizations with well-oiled security programs should consider launching bug bounty programs. You need to be “very, very mature,” Jacobson says. “You’ve gone through all your testing methodologies. You’ve proven that you can remediate your vulnerabilities. You fix all your scanner vulnerabilities. You fix all your pen test vulnerabilities.”

Launching a bug bounty program when you’re not ready could be a disaster. “I saw a few programs closing down after a few months because they were overwhelmed,” Nyffenegger says. “The problem is they shut down because they ran out of money or time or it was too much for them. But they still had open reports, and many researchers spent a lot of time working to find those vulnerabilities, and they expected a reward. And those people got very angry but couldn’t disclose it officially because they agreed to the bug platform confidentiality terms.”

Experts also caution that bug bounty programs aren’t a reason to back off existing security efforts. “One thing that I’ve seen in my past is that bounty programs are expected to be this kind of panacea, and this is going to solve all of my testing problems,” Jacobson says. “Organizations will say, ‘We’re getting a lot of great vulnerabilities, things that we’ve never seen before. Can we get rid of our scanners?’”

That is just “a penny-wise, pound-foolish thing,” says Jacobson. “I want to ensure that CISOs and security organizations aren’t trying to gut anything.”