Information Security

Defending the digital infrastructure
In This Issue

pixel_dreams - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

New scrutiny on bug bounties: Is there strength in numbers?

Bug bounty programs are a cool idea and often work, so why haven't they taken off for non-tech companies?

Alan R. Earls
By

In November 2010, Barracuda Networks Inc., based in Campbell, Calif., became one of the first companies to run a security bug bounty program. Given the critical role that secure software plays in the world, it's no wonder that an IT security and networking company would pay people to identify potential vulnerabilities -- to find and fix them, and to provide an open communications channel for security researchers and, yes, even hackers.

The Barracuda Networks Security Bug Bounty Program initially received a handful of reports every quarter. By 2012, Barracuda Labs had hired full-time employees to respond to researchers, distribute awards and work with product teams. Since that time, many other companies have tried bug bounties, and third parties have emerged to help manage the process. The results have been positive, with some research pointing to cost savings for outsourced programs, but challenges remain.

In the case of Barracuda, while the company originally committed a security team to working full time on its bounty program, in December 2014 it decided to move it to the Bugcrowd platform. Founded in 2012, Bugcrowd is a San-Francisco-based third-party provider of bug bounty and penetration testing services. The Barracuda bounty program, run by Bugcrowd, currently offers $50 to $3,133 per qualifying bug.

The company's executives cited Bugcrowd's potential to increase its access to vulnerability researchers from 500 to more than 13,000 in the crowdsourcer's community. Other companies have followed a similar path. In February, Bugcrowd reported that it had 220 active bounties, 33,150 security vulnerability submissions and 14,300 researchers participating in its crowdsourced security program.

Strength in numbers

John Pescatore, director of emerging trends at the SANS Institute in Bethesda, Md. (and a former Gartner analyst), says bounty programs like the one Barracuda initiated have continued to garner attention and support.

"The majority of the bug bounty programs seem to have had a positive impact," he says, "meaning, the legitimate software writer was notified of a problem earlier than they would have been otherwise." However, the spectrum of so-called "vulnerability researchers" is quite broad, ranging from casual and occasional dabblers to paid professional white hats -- and doubtless includes some people who are actually "bad guys."

Article 2 of 7
This was last published in March 2015

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

Join the conversation

2 comments

Send me notifications when other members comment.

Register

Please create a username to comment.

From my experience, I have to agree with Anagnos that there is an awful lot of noise in the system. While it has been shown that bug-bounty programs do find bugs (and plenty of them) a large majority are the minor happy path, obvious bugs. I think that a lot of this has to do with the testing resources used in crowdsourcing (largely unskilled in the nuances of software testing) and pay-by-the-bug models that encourage those resources to earn more by quickly finding and reporting numerous simple bugs rather than spending the time to find the less obvious, more complicated bugs.
Cancel
If internal teams don't find vulnerabilities, someone else will, it's that simple. It's better to partner with some of the hackers out there, faster too.
Cancel

Get More Information Security

Access to all of our back issues View All

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close