Is a bug bounty program right for your company?
Already an attractive option for a variety of consumer applications, crowd sourcing is now catching on in the corporate world. One emerging area of crowd sourcing is bug bounty programs. These are rewards offered by organizations to security researchers or whitehat hackers, who receive recognition and financial compensation for finding and reporting bugs, exploits and vulnerabilities in the organizations’ websites and applications.
As a technology company or security professional, it’s easy to see the attraction of running bug bounty programs. But these programs are not without risk, and timing can be a critical factor. Unless they are managed carefully, bug bounty programs can come with serious consequences for your overall security posture.
Back to Basics: What Is a Bug Bounty?
Bug bounty programs have been around since the mid-to-late 1990s, but for many years the number of organizations offering them were fewer than a couple of dozen. That was until just a few years ago, when some large companies like Facebook, Google, Microsoft, and Yahoo launched very high profile and well publicized programs.
They now come in all shapes and sizes, with some applying to back-end software, some to customer-facing websites and applications, and some to hardware. They are most predominantly found in the high-tech industry, but more recently they’ve been appearing in sectors such as retail, social media, gaming, finance and travel.
Programs can be managed in one of two ways: Organizations can take a "do-it-yourself" approach, or they get help to front-end the program with a bug bounty broker. Brokers step in to create and manage bug bounty programs on behalf of their customers.
Do-it-yourself bug bounty programs are obviously more resource-intensive to run, and they involve a process that is very hard to automate. All bug bounty programs take a lot of time and money to do well, which is why only the largest social networking, e-commerce, and software companies are running their own programs.
When and Where?
A bug bounty program can be a great complement to your existing application security initiatives to add extra expertise and a new set of eyes on perhaps your one or two most business-critical applications. Running a bounty program can also help to encourage goodwill in the hacker community, turning that community into a sort of "neighborhood watch" for the company and its products.
For the majority of organizations, adding a bug bounty program to the mix makes the most sense at a stage when the company’s existing app security program is already quite mature. This means very few new vulnerabilities are being introduced by the developers and any that are, are being fixed as quickly as they are reported. If this is not yet the case, the company would be better off spending the time and resource getting its continuous app security practice up to scratch, before rolling out the bug bounty red carpet.
Safety Considerations
Today, as organizations consider their overall security posture, one of the biggest concerns is over who has access to what, when it comes to vulnerability testing. With much of the testing taking place on source code and behind firewalls, understanding who has access, where the testing will take place, and where the vulnerability data will be stored are all critical considerations.
In a bug bounty model, organizations have very little visibility or control over these considerations. Most security researchers are working privately and there is certainly no way to keep tabs on them. There have been cases in the news recently, in which bug bounty hunters have gone far beyond what the organizations expect of them and have accessed sensitive data that the organizations didn’t want to share publicly.
Bug bounty hunters may also try out unexpected testing methodologies and techniques to probe your websites and may end up compromising the security of your secondary systems or inadvertently accessing the source code of your web applications stored on SVN servers.
Furthermore, there is no way of ensuring that your entire application has been combed through diligently to find all the vulnerabilities. Since most of the bug bounty hunters work independently, you have no idea what areas of the websites have been assessed and what haven’t, so you can never truly know what your security posture is.
Start Small, Then Scale It Up
Many large and small organizations realize the value of bounty programs vis-à-vis access to skill sets and scalability, but they have also recognized that they can be difficult to control from a budget perspective. If you’re considering a bug bounty program, there are a few important steps that need to be taken. The first step involves running a time-bound, closed, and confidential bounty program before opening things up to a larger crowd of participating bug hunters.
Apple recently announced that it was holding an invitation-only bounty program. The invitation-only approach enables Apple to ensure it engages with vetted researchers who are interested in working with them to find and disclose security problems within what are most likely as-yet unreleased software builds.
In a scaled-down program, a small and elite team from a bounty hunter pool should be allowed to test a select number of applications and websites over a short period of time -- usually two to four weeks. Following this test, which establishes trust in the process, the bug bounty program can then be opened up to the world at large.
A Dual-Pronged Approach Is Key to Success
Security-conscious organizations have been interested in bug bounty programs for years, and many have been keeping a close eye on how these programs are evolving -- specifically, where they can and should fit in their security mix, and the economics associated with this. Using a dual-pronged approach of a comprehensive security program plus a bug bounty program, you should be able to have the most effective security strategy at the right times. This will safeguard your digital assets and help you beat hackers at their own game.
Ryan O’Leary is vice president of the Threat Research Center at WhiteHat Security, the web application security specialist. Ryan has extensive experience in finding and exploiting application vulnerabilities and configuring automated testing tools.
Published under license from ITProPortal.com, a Future plc Publication. All rights reserved.
Photo Credit: andriano.cz/Shutterstock