Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Is the bug bounty program concept flawed?

Looking for security vulnerabilities? Tread lightly. The benefits of vulnerability rewards programs are great, but so are the risks.

This article can also be found in the Premium Editorial Download: Information Security magazine: Are SIEM products delivering on advanced analytics?:

When it comes to reporting technical vulnerabilities to the parties involved, most security researchers and hackers know that they need to proceed with caution. Logan Lamb learned that lesson the hard way when he found security weaknesses in home alarm systems and then felt "pressured" by big-name home security vendors to keep a lid on his findings at Black Hat USA 2014 last August.

But Black Hat is also the place where vendors like to invite trouble. Mobile credit card processor Square announced its security bug bounty program, run by HackerOne, in 2014. Microsoft launched its bug bounty program at the Las Vegas convention in 2013. While the possibilities of security bug bounty programs across industries are promoted at Black Hat and other security gatherings, the reality is most organizations still do not have mechanisms that enable "outsiders" to safely report security flaws.  

The benefits of vulnerability rewards programs are great, but so are the risks, says Gus Anagnos, the former head of PayPal’s bounty program, who shares his experiences with technology journalist Alan R. Earls in this month’s feature article, "Scrutiny on the Bounty." Anagnos, who joined security startup Synack in July as vice president of strategy and operations, says: "It’s not always clear who you are dealing with -- you don’t know whether you are working with a white hat or a black hat."

Anagnos also says, "There can be a lot of noise in these systems, and the quality isn’t always there, nor are the findings always significant."

Kathleen RichardsKathleen Richards

Pioneer Google, which launched its bounty program in 2010, offers resources such as Bughunter University to its researchers to help streamline the vulnerability submissions process: "Approximately 90% of the submissions we receive through our vulnerability reporting form are ultimately deemed to have little or no practical significance to product security," the company cautions researchers.

Are bug bounty programs just stacking up vulnerabilities? The top monetary rewards are generally aimed at technical vulnerabilities that could lead to compromises of sensitive data and privacy issues.

Ever wonder who coined the term bug? It was Grace Hopper, whom AT&T Chief Security Officer Ed Amoroso "interviewed" during AT&T’s annual cybersecurity conference a few years ago. Marcus Ranum caught up with him to get his hard-won perspective on keeping up with technology assessments as security controls rapidly advance -- and crafting policy strategies in the face of complex security design.

Interest in SIEM systems is increasing as companies look to detect breaches earlier and limit damage. But information overload (false positives) and missed signs of advanced attacks continue to be major problems, Rob Lemos reports in "The Hunt for Data Analytics: Is Your SIEM on the Endangered List?" Big data and advanced analytics have promised to deliver better and more complete threat detection.

As some organizations look for earlier detection of threats from behavioral analytics, we revisit the concept of "good enough" security in the wake of the Sony Pictures Entertainment hacking incident. What are some of the tradeoffs that affect these business risk decisions and how will that change going forward? Technology journalist David Strom interviewed several security officers and IT security managers across various industries and reports his findings in "‘Good Enough’ Security After Sony."

How can enterprises implement defenses based on actual threats and vulnerabilities rather than investing in broader technology measures? Those answers are still hard to come by, as risk management and knowledge of business operations are added to the CISO’s long list of things to worry about -- trusted partnerships, global threat awareness, reliable architecture and proven technology. What is good enough security and when do you need something more?

About the author:
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.

This was last published in March 2015

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Bug bounties find lots of bugs, but from what I’ve seen they are mostly superficial, happy path bugs that a typical cycle would have found anyway. I’ve seen several bug bounty programs with the popular crowdsourcing platforms. Unfortunately, the vast majority of those participating are largely unskilled in the nuances of software testing. When you combine this with the pay-by-the-bug model, what results are a few of the more severe bugs, but most of those involved report numerous bugs that are near trivial just to make the easy money. So, yeah, they find bugs, but they also create a lot of noise, and I seriously doubt that companies seldom get the value they are looking for out of a bug bounty.
Cancel
I think the bug should only relate to security / network breaches. If a bug bounty program is classifying typos and broken links as payable bugs then they will get swamped with reports. Then it's how do you handle multiple users submitting the same "bug" ?  Then try and explain to all the other users they were not the first so no payout.

Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close