Bug Bounty Programs – Uncovering Critical Vulnerabilities
by Robert Bond
Bug Bounty Programs – Vulnerability Management for Top Cyber Risks
Bug Bounty Programs provide effective way for both small and large enterprises to test their IT systems and identify top cyber vulnerabilities.
Organizations are constantly looking for ways to better identify vulnerabilities on their systems and reduce their cybersecurity risk. A growing and innovative way of doing so is by participating in a bug bounty program.
For many years, organizations conducted point-in-time assessments of their systems, conducting their own or collaborating with an external provider for a penetration test, web application security assessment, or vulnerability scan. While these traditional testing methods certainly help companies identify vulnerabilities, newer bug bounty programs provide larger scope and increase vulnerability discovery capability.
What is a Bug Bounty Program?
The first bug bounty program dates back to 1983. Operating system manufacturer Hunter & Ready, Inc. ran an advertising campaign offering a VW Beatle automobile or $1000 to anyone that discovered a bug in the company’s OS. Another early adopter was Netscape, which offered cash rewards for bugs reported in their Netscape Navigator 2.0 Beta product. Bug bounties started taking off in the early 2000s, when companies like Mozilla, IDefense,
Facebook, and Google started offering hundreds of dollars to researchers able to identify critical vulnerabilities in their applications. Today, bug bounty programs are more popular than ever and rewards have grown exponentially for individuals willing to put the time and effort into finding unique software flaws and other vulnerabilities, Larger companies are now regularly offering six figure payouts for substantial findings, like Microsoft’s bug bounty offering $100,000 for the discovery of critical vulnerabilities. Another growing trend is the offering of bug-bounty-as-a-service providers. Instead of working directly with the public, companies’ partner with a crowd-sourced provider that makes it easy to start and manage a program while delivering the same results.
Top 5 Benefits of Bug Bounty Programs
Bug bounty programs bring a variety of benefits to organizations seeking to test their IT systems. They continuously bring top quality, multi-skilled testers who are typically available to test on-demand.
- Talent Availability – traditional third-party penetration testing service providers have long been the preferred way for companies to discover security vulnerabilities and test their systems. However, these testers have a limited talent pool, with each individual only specialized in a specific domain area. The shortage of talent in this area is an increasing challenge – with 23% of organizations reporting a shortage of pen testers in a recent ISSA survey. By moving to a crowd-sourced model, organizations are able to leverage a diverse skill set covering a wide variety of scenarios and threats, resulting in a more comprehensive testing of their systems.
- Scope of Testing – penetration testers are usually incentivized to produce a limited number of vulnerabilities on a target system – once a network or system has been compromised, the test is complete, and testers deliver their report. With an open-ended bug bounty program, tests are continually conducted and continue even after serious vulnerabilities are reported.
- Scope in Time – a penetration test is a point-in-time assessment that usually only covers a few weeks. Even a more comprehensive red team assessment might only cover several months. With a bug bounty program, testing is year-round, 24×7. In today’s agile and devops development environments, servers, applications, and systems may be spun up and down, and ephemeral assets are common. These types of assets may not be seen by a traditional penetration test but may present serious vulnerabilities during their brief time connected to a network. With a bug bounty program, all the continuously changing and deployed devops or agile assets are in-scope and will be covered by security testers.
- Security expertise – Bug bounties are becoming increasingly lucrative and are now attracting top talent. The average bounty paid to hackers for a critical vulnerability has increased – from $1,624 in 2015 to $1,923 in 2017, and top performing bug bounty testers now earn an average of $50,000 a month, with some earning nearly $900,000 a year. To date, Google’s Vulnerability Reward Program has paid out over $6 million, and Facebook’s program is now over $4 million. As the financial compensation for these programs continues to rise, more and more security talent will be focused on testing and participation in bug bounty programs.
- Cost – bug bounties are a cost-efficient way to test applications and systems. The cost of participating in a program can be as low as a few thousand dollars. Some programs are now even free to participate in. When compared with the cost of responding to a data breach, these programs are a good way to discover and mitigate vulnerabilities before they become a problem.
Bug Bounty Programs-as-a-Service
Small businesses may not have the IT, public relations, or contracting and legal support necessary to set-up and manage their own bug bounty program. One solution currently expanding on the market are Bug Bounty Program-as-a-Service providers. Bug Bounty service providers including Bugcrowd, HackerOne, Synack, Cobalt and Zerocopter manage the program on behalf of their customers, including the interaction with researchers and management of submission, validation, and payout activities.
Bugcrowd reports that these organizations are detecting five times the number of vulnerabilities found from a penetration test of equivalent cost. These providers offer a wide variety of talented testers – Bugcrowd, for example, has signed 2,200 testers that participate in testing for their clients. POLi Payments, a recent Bugcrowd customer, reported that 335 testers participated in the program review their systems. These service providers make it easy for medium and small businesses to leverage the diversity, availability, and security expertise of bug bounty programs, while being relieved of the need to start and manage the program on their own.
As bug bounty programs become more popular, their efficiency and quality are likely to continue to improve. More testers and researchers are participating, and even potential ex-criminal hackers now participate in legitimate testing, drawn by the lucrative payouts for successful vulnerability discoveries. The list of participants is long and varied, and even the Department of Defense is now offering payouts for bug reports. For organizations looking for a way to secure their network and lock down potential vulnerabilities, a bug bounty program is an increasingly cost-effective option.
August 31, 2019