I'm a security architect for a well-known business software vendor, and recently we've been discussing whether...
we should create a bug bounty program. They seem to be increasingly popular, but do they do any good for actually improving the security of software products?
Imagine there is a room of 50 motivated, very smart and tech-savvy men and women poring over your products -- stress testing them, using them illogically and bombarding them with input to try and find if there are any flaws in the code that could be misused.
Would you prefer those people to be working with you or against you?
Any business software vendor will have many more times that number of hackers working against them; cybercriminals and nation states will always be looking for vulnerabilities that can be exploited to steal data or gain control of the devices or system on which the software resides. Creating a bug bounty program to encourage and reward security researchers who responsibly report security bugs is the only way to even up the numbers and hopefully find out about coding flaws before they are found and abused by attackers.
Cybercrime and cyberespionage are big businesses, and new critical vulnerabilities are highly prized -- they can earn the finder up to $200,000 on the black market. Firms like Vupen and Netragard operate as exploit brokers, often selling vulnerabilities to American and European governments and agencies. While the underground market for software vulnerabilities is well developed, the white-hat market is still very much in its infancy, but, thankfully, it is maturing fast. Most major software vendors (including Microsoft, Google, Mozilla, Facebook and Yahoo) have some form of bug bounty program and, based on the amounts that have been paid out, bug hunters have found some pretty serious flaws and vulnerabilities.
So, yes, these programs do improve the security of software. There are now several sites such as Bugcrowd that maintain up-to-date lists of all bug bounty programs and streamline the bug submission, review and reward process. Bugcrowd also supports the Internet Bug Bounty sponsored by Microsoft and Facebook, which rewards hackers who contribute to a more secure Internet.
For software vendors that truly want their products to be more secure, the economics of a bug bounty program are very attractive. Instead of having to hire a large in-house team of security experts, all it needs is a technical team to review submissions and verify valid bugs. The complex and time-consuming task of testing and analyzing products is left to the bounty hunters.
Bounty rewards vary depending on the severity of the vulnerability found. Personally, I still think that many programs do not pay high enough rewards, especially given the effort that goes into finding and submitting a proof-of-concept exploit versus the money, data and business reputation that is saved.
Some bounty programs only provide a "hall of fame" page as a way to recognize researchers who've contributed a valid bug. Ali Jones has found various bugs for eBay and is named on its Responsible Disclosure Acknowledgement page, but says he has little incentive to continue analyzing eBay since the company doesn't pay for vulnerability information. Does this lack of reward reflect the true value vendors place on securing their products? Recognition is fine, but until you can spend it on groceries the many very talented coders, especially those based in poorer countries, are unlikely to participate.
Complete security is only achieved when software does what it is expected to do in all conditions. Rewarding people to actively create unexpected conditions provides a way to harness the collective intelligence and capabilities of security researchers around the world and help further improve the quality of code and protect users' data and privacy. Vulnerability research and responsible disclosure is critical to the security of enterprise and customer data, and it needs to be supported -- otherwise the only time vendors will know their products contain serious vulnerabilities is when their customers are under attack.
Ask the Expert!
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now! (All questions are anonymous.)
Read next: Do bounties stop computer hackers?
Experts tout the benefits of bug bounty program outsourcing
Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments
Related Q&A from Michael Cobb
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the ...continue reading
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how ...continue reading
App trackers were found in hundreds of Google Play apps. Expert Michael Cobb explains the threat they pose and how GDPR has the potential to reduce ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.