- Share this item with your network:
- Download
Information Security
- FeatureThe hunt for data analytics: Is your SIEM on the endangered list?
- FeatureNew scrutiny on bug bounties: Is there strength in numbers?
- FeatureCloser look at 'good enough' security after recent data breaches
- FeatureBeyond the Page: New SIEM Battleground Unfolds with Advanced Analytics
- OpinionIs the bug bounty program concept flawed?
- OpinionQ&A: Marcus Ranum chats with AT&T's CSO Ed Amoroso
- OpinionIs runtime application self-protection a shortcut to secure software?

pixel_dreams - Fotolia
New scrutiny on bug bounties: Is there strength in numbers?
Bug bounty programs are a cool idea and often work, so why haven't they taken off for non-tech companies?
In November 2010, Barracuda Networks Inc., based in Campbell, Calif., became one of the first companies to run a security bug bounty program. Given the critical role that secure software plays in the world, it's no wonder that an IT security and networking company would pay people to identify potential vulnerabilities -- to find and fix them, and to provide an open communications channel for security researchers and, yes, even hackers.
The Barracuda Networks Security Bug Bounty Program initially received a handful of reports every quarter. By 2012, Barracuda Labs had hired full-time employees to respond to researchers, distribute awards and work with product teams. Since that time, many other companies have tried bug bounties, and third parties have emerged to help manage the process. The results have been positive, with some research pointing to cost savings for outsourced programs, but challenges remain.
In the case of Barracuda, while the company originally committed a security team to working full time on its bounty program, in December 2014 it decided to move it to the Bugcrowd platform. Founded in 2012, Bugcrowd is a San-Francisco-based third-party provider of bug bounty and penetration testing services. The Barracuda bounty program, run by Bugcrowd, currently offers $50 to $3,133 per qualifying bug.
The company's executives cited Bugcrowd's potential to increase its access to vulnerability researchers from 500 to more than 13,000 in the crowdsourcer's community. Other companies have followed a similar path. In February, Bugcrowd reported that it had 220 active bounties, 33,150 security vulnerability submissions and 14,300 researchers participating in its crowdsourced security program.
Strength in numbers
John Pescatore, director of emerging trends at the SANS Institute in Bethesda, Md. (and a former Gartner analyst), says bounty programs like the one Barracuda initiated have continued to garner attention and support.
"The majority of the bug bounty programs seem to have had a positive impact," he says, "meaning, the legitimate software writer was notified of a problem earlier than they would have been otherwise." However, the spectrum of so-called "vulnerability researchers" is quite broad, ranging from casual and occasional dabblers to paid professional white hats -- and doubtless includes some people who are actually "bad guys."
Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments
-
Significant jump in number of hackers reporting vulnerabilities to companies
-
How to start an enterprise bug bounty program and why
-
Neurodiversity on the rise among career hackers
-
Bugcrowd launches 'classic' penetration testing service