lolloj - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Will a bug bounty program improve enterprise software security?

The increasing popularity of bug bounty programs leaves many wondering if they can improve enterprise software security. Expert Michael Cobb discusses the ins and outs of such programs.

I'm a security architect for a well-known business software vendor, and recently we've been discussing whether we should create a bug bounty program. They seem to be increasingly popular, but do they do any good for actually improving the security of software products?

Imagine there is a room of 50 motivated, very smart and tech-savvy men and women poring over your products -- stress testing them, using them illogically and bombarding them with input to try and find if there are any flaws in the code that could be misused.

Would you prefer those people to be working with you or against you?

Any business software vendor will have many more times that number of hackers working against them; cybercriminals and nation states will always be looking for vulnerabilities that can be exploited to steal data or gain control of the devices or system on which the software resides. Creating a bug bounty program to encourage and reward security researchers who responsibly report security bugs is the only way to even up the numbers and hopefully find out about coding flaws before they are found and abused by attackers.

Cybercrime and cyberespionage are big businesses, and new critical vulnerabilities are highly prized -- they can earn the finder up to $200,000 on the black market. Firms like Vupen and Netragard operate as exploit brokers, often selling vulnerabilities to American and European governments and agencies. While the underground market for software vulnerabilities is well developed, the white-hat market is still very much in its infancy, but, thankfully, it is maturing fast. Most major software vendors (including Microsoft, Google, Mozilla, Facebook and Yahoo) have some form of bug bounty program and, based on the amounts that have been paid out, bug hunters have found some pretty serious flaws and vulnerabilities.

So, yes, these programs do improve the security of software. There are now several sites such as Bugcrowd that maintain up-to-date lists of all bug bounty programs and streamline the bug submission, review and reward process. Bugcrowd also supports the Internet Bug Bounty sponsored by Microsoft and Facebook, which rewards hackers who contribute to a more secure Internet.

For software vendors that truly want their products to be more secure, the economics of a bug bounty program are very attractive. Instead of having to hire a large in-house team of security experts, all it needs is a technical team to review submissions and verify valid bugs. The complex and time-consuming task of testing and analyzing products is left to the bounty hunters.

Bounty rewards vary depending on the severity of the vulnerability found. Personally, I still think that many programs do not pay high enough rewards, especially given the effort that goes into finding and submitting a proof-of-concept exploit versus the money, data and business reputation that is saved.

Some bounty programs only provide a "hall of fame" page as a way to recognize researchers who've contributed a valid bug. Ali Jones has found various bugs for eBay and is named on its Responsible Disclosure Acknowledgement page, but says he has little incentive to continue analyzing eBay since the company doesn't pay for vulnerability information. Does this lack of reward reflect the true value vendors place on securing their products? Recognition is fine, but until you can spend it on groceries the many very talented coders, especially those based in poorer countries, are unlikely to participate.

Complete security is only achieved when software does what it is expected to do in all conditions. Rewarding people to actively create unexpected conditions provides a way to harness the collective intelligence and capabilities of security researchers around the world and help further improve the quality of code and protect users' data and privacy. Vulnerability research and responsible disclosure is critical to the security of enterprise and customer data, and it needs to be supported -- otherwise the only time vendors will know their products contain serious vulnerabilities is when their customers are under attack.

Ask the Expert!
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now! (All questions are anonymous.)

Next Steps

Read next: Do bounties stop computer hackers?

Experts tout the benefits of bug bounty program outsourcing

This was last published in November 2014

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you believe a bug bounty program is beneficial? Why?
Yes, because it's often easier for external people to recognize vulnerabilities. It's similar to editing in that respect - you can read an essay you've written multiple times and not see anything wrong, but another pair of eyes can quickly spot a typo you've glossed over. Having an outside resource applied to your systems can be helpful in finding security holes, and a bug bounty program can be particularly helpful because instead of just paying high-priced consultants, you're creating some sense of participation and recognition among experts who may possibly become advocates for your company (if you compensate them well enough, of course).  
Good point, ben!
I think bug bounties find lots of bugs, but from what I’ve seen they are mostly superficial, happy path bugs that a typical cycle would have found anyway. I’ve seen several bug bounty programs with the popular crowdsourcing platforms. Unfortunately, the vast majority of those participating are largely unskilled in the nuances of software testing. When you combine this with the pay-by-the-bug model, what results are a few of the more severe bugs, but most of those involved report numerous bugs that are near trivial just to make the easy money. So, yeah, they find bugs, but as Anagnos said, they create a lot of noise, and I seriously doubt that companies seldom get the value they are looking for out of a bug bounty.
Well, looks like Facebook just got some value from theirs:
I think that they are beneficial. I have never participated in one, but I understand that the payout can be substantial for finding something like a major security flaw. For testers/hackers who have the skills and are willing to make the time investment, it seems like a great idea.
I'm all for it. If a major software company cannot see the benefit to a reward system like this to find the bugs that may damage it's product and name, then let them suffer the consequences . If the "dark side" of the computer world is willing to pay and not the code developer, who do you trust with this info? Do you expose the flaw and possibly your own data to the world or the developer for not thoroughly beta testing their code?