Q
Problem solve Get help with specific problems with your technologies, process and projects.

Are bug bounty programs secure enough for enterprise use?

The use of bug bounty programs in enterprises is growing, but they aren't risk free. Expert Mike O. Villegas discusses some concerns related to bug bounties.

More enterprises appear to be adopting bug bounty programs to help them find vulnerabilities. But are there hidden...

risks involved? For example, an adult video site recently had its subscriber database exposed to white hat hackers who exploited a bug bounty. While the hackers didn't make the data public, the customer data was still accessed by untrusted third parties. What factors should enterprises weigh when considering bug bounty programs?

Bug bounty programs are offered by many websites -- such as Facebook, Yahoo, Google, Reddit, Square and Microsoft. With these programs, software developers can receive recognition and compensation for reporting bugs in those vendor software offerings. Some of these are cybersecurity related, identifying exploits, vulnerabilities and possibly zero-day vulnerabilities.

Rewards in bug bounty programs vary by vendor, but they generally run from a T-shirt, to $250, to as high as six figures, depending on the severity of the vulnerability. On Dec. 8, 2016, a security vulnerability in Yahoo Mail was found by a bug hunter from Finland that allowed an attacker to read a victim's email or create a virus infecting Yahoo Mail accounts. The attack required the victim to view an email sent by the attacker. No further interaction (such as clicking on a link or opening an attachment) was required. The bug hunter received a $10,000 reward, an amount presumably relative to the possible impact to all Yahoo email users.

However, posting a vulnerability on a blog or public forum provides hackers with sufficient knowledge to exploit that bug before the vendor has an opportunity to remediate it. It would be presumptuous to believe hackers would not take advantage of such knowledge. Even after the software vendor has published a fix, detailed documentation of a vulnerability would provide hackers with details that could be used against those that have not yet applied the patches.

Bug bounty programs appear to be a good idea, and they provide information for vendors to consider when strengthening controls over cybersecurity coding deficiencies. However, the details do not have to be submitted to the general public. Having a subscription-based notification of the details might be an answer, but there will be many who will oppose this idea.

There is some debate over whether or not to keep vendor software vulnerabilities secret. The focus of the annual DEFCON conference is to expose vulnerabilities. There is no law to prevent such disclosures, so whether the vulnerability is posted on a vendor's bug bounty program page, on an underground blog or on a social media site, exploits are bound to happen. This is a factor that vendors need to weigh when considering a bug bounty program.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn whether bug bounty programs get better results than crowdsourcing

Read more about the vulnerability disclosure debate surrounding software

Discover the right approach to security vulnerability disclosure policies

This was last published in January 2017

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think of bug bounties for enterprises?
Cancel
Mastercard, Western Union, Fiat Chrysler, Barracuda and Netgear are all examples of publicly traded, traditional enterprises that run bug bounty programs - And that's before you get into the hundreds of other companies that operate the bounty model on a private basis with trust, privacy and control as a part of the SOP [Source: I'm the founder of Bugcrowd] so I'd suggest based on that the they are enterprise ready.

As for hackers doing bad things, that's the fault of the vulnerabilities that let them... not an invitation for white-hats to do good things. You can't prevent a burglar coming to your door, but you can make sure it's locked when they get there. The priority should be on reducing the risk by engaging approaches like bug bounties, not operating under the illusion that we can control the behavior of a real adversary.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close