Bug bounty programs have gotten quite popular in the last couple of years and are not restricted to the big names in tech anymore. If you haven't heard about bug bounty programs before then here's a short brief. Bug bounty, in simple words, is a crowdsourced method of finding security issues in your application. Typically, larger tech companies like Microsoft, Yahoo, Google, etc have been running bug bounty programs since long. This basically helps them gather the resources of the larger crowd to help them discover and fix security issues in their applications.
Now that you know what bug bounty programs are, you might be wondering that this sounds good in general. What can be bad or ugly about it? Well, like everything else, there are always two sides. Well, in this case, three actually.
Let's start with the good.
What's Good About Bug Bounty Programs
Bug bounty programs are designed to encourage security researchers to find security issues in software applications and report back to the sponsor. In return, these researchers are typically paid a heavy reward, based on the kind of vulnerability discovered.
In fact, Google’s bug bounty paid out a hefty $2.9 million in bug bounties in 2017. Rewards can range from $500 to $100,000 or more depending on the type of bug and the amount of time spent.
A lot of companies including Google, Facebook, Microsoft, etc. also run something called a "Hall of Fame" where they announce and acknowledge the findings of many of these researchers. Google's largest bug bounty award in 2017 was $112,500. This was paid to a security researcher for tracking down a Pixel phone exploit as part of the Android Security Rewards Program.
So, it's obvious that one of the good parts of the bug bounty programs is that security researchers or bug bounty hunters, as they are often called, are well rewarded. So they do spend a lot of time and effort to break your application and find some serious issues. This is good for the business because they can tap into the combined potential of numerous such researchers who collectively can report hundreds of threats faster than what a dedicated in-house security team could do.
Additionally, companies pay only when security researchers report an issue that meets the guidelines. For all of these reasons, many companies have started public bug bounty programs and some have also expanded the scope. Some of the biggest companies in the world now have bug bounty programs, including GM, Airbnb, Mastercard, and even the Pentagon.
The other significant advantage in running bug bounty programs is that apart from the money, security researchers are also extremely motivated to find and report issues because it helps them build a more credible profile. We've written before on why hackers hack and one of the motivators for hackers with good interests is that they look forward to building their reputation in the security world.
What's Not So Good About Bug Bounty Programs
Sometimes bug bounty programs are not very well defined. Many bug bounty programs are private and hence previous information is also unavailable. What this means is that security researchers might spend a lot of time finding issues only to know later that these were already known.
In fact, many companies have used bug bounties as a method to create a channel where they can source this security knowledge for almost free! Hackers have reported instances where even big guys like Uber have paid nothing to researchers who've actually discovered security issues in their apps.
This clearly demotivates the good guys to continue to be good guys. But if you think about it as a company, obviously you do not want to pay for security issues that are already known to you. Sadly, you can let anyone know about it unless it is patched. Also, if you are running a program, maybe someone else reported it before and you haven't patched it yet.
Things like these make it difficult for companies to successfully run bug bounty programs without a few hiccups here are there.
What's Ugly About Bug Bounty Programs
First, there's a fair about of legal discussion, especially in the US, on how bug bounty programs should be run and managed. The Register published a story after the Uber hack was in the news stating that, while there is support for bug bounty programs in general, Justin Brookman, director of privacy and technology policy at Consumers Union, a consumer advocacy group, said that state data breach notification laws, which first came into being in 2002, need to be reconciled with vulnerability disclosure programs to avoid alarming people unnecessarily about security flaws.
Another thing that is cited often by legislators is that while bug bounty rewards create more bug hunters it doesn't necessarily lead to more bug fixes.
Katie Moussouris, founder and CEO of Luta Security, said in an interview, "Everyone has gotten so enamored of bug bounties that they maybe have forgotten other investments in security that they should do first or alongside bounty programs." She also believes bug bounty programs have been marketed as a cost-effective replacement for penetration testing.
And this is where it all gets ugly.
We are all in favour of bug bounty programs. We think it's always good to tap into the power of the crowd and reward them for the same. We've also repeatedly mentioned that relying on one security program or application is a strategy that is bound for failure. Security is something that needs multiple products and multiple minds to make it difficult to break. Even then, the reality is that there is no such thing as "100% secure." Since bug bounty programs typically depend on a group of manual researchers to perform their own security tests, it's all the more necessary to combine this with another product that offers automated security testing or a set of different solutions that can leverage automation to complement the manual efforts of the bug bounty hunters.