New scrutiny on bug bounties: Is there strength in numbers?

In November 2010, Barracuda Networks Inc., based in Campbell, Calif., became one of the first companies to run a security bug bounty program. Given the critical role that secure software plays in the world, it's no wonder that an IT security and networking company would pay people to identify potential vulnerabilities -- to find and fix them, and to provide an open communications channel for security researchers and, yes, even hackers.

The Barracuda Networks Security Bug Bounty Program initially received a handful of reports every quarter. By 2012, Barracuda Labs had hired full-time employees to respond to researchers, distribute awards and work with product teams. Since that time, many other companies have tried bug bounties, and third parties have emerged to help manage the process. The results have been positive, with some research pointing to cost savings for outsourced programs, but challenges remain.

In the case of Barracuda, while the company originally committed a security team to working full time on its bounty program, in December 2014 it decided to move it to the Bugcrowd platform. Founded in 2012, Bugcrowd is a San-Francisco-based third-party provider of bug bounty and penetration testing services. The Barracuda bounty program, run by Bugcrowd, currently offers $50 to $3,133 per qualifying bug.

The company's executives cited Bugcrowd's potential to increase its access to vulnerability researchers from 500 to more than 13,000 in the crowdsourcer's community. Other companies have followed a similar path. In February, Bugcrowd reported that it had 220 active bounties, 33,150 security vulnerability submissions and 14,300 researchers participating in its crowdsourced security program.