In recent years, some of the world's most visible tech companies have turned to bug bounty programs in an effort to find and fix security vulnerabilities as quickly as possible. Now, a market is emerging for third-party vendors that help organizations launch bug bounty programs, but is outsourcing such programs a better option than going the in-house route?
A bug bounty program is a formal initiative in which an incentive -- usually cash -- is offered to security researchers who find and report security bugs to a vulnerable system's owner. The general concept behind offering bounties is to get the eyes of as many security researchers as possible looking at code for vulnerabilities, with the hopes that flaws that may otherwise go unnoticed for months or years can be remediated before they are exploited.
Bug bounties tend to vary considerably. For instance, the Facebook bug bounty program offers a minimum amount of $500 dollars for a qualifying vulnerability, while Google offers large rewards through its bug disclosure program, up to a maximum $20,000 dollars for dangerous remotely executable vulnerabilities.
If you're a smaller company and don't necessarily have the resources to triage all those reports, I think you'll have a hard time.
VP of security, GitHub
Some bounty programs are launched to encourage the masses to scrutinize a product in a short time frame, such as Mozilla's $10,000 bounty for any flaws found in its upcoming certificate verification library slated for Firefox 31 in July. Others seem focused solely on garnering publicity -- a prime example being bulletin board site 4chan's program, which offers the mere equivalent of $20 per flaw.
Shawn Davenport, vice president of security for San Francisco-based GitHub Inc., helped his organization launch an official in-house bug bounty after it previously had a responsible disclosure program in place. GitHub's monetary rewards range from $100 to $5,000, according to Davenport, with the exact reward determined by GitHub's response team after weighing the severity of the vulnerability.
Davenport said that the five-month-old program has been a boon for GitHub's security and that he has been particularly impressed by some of the creativity researchers have shown in finding vulnerabilities -- the details of which GitHub provides on its bug bounty website.
"Egor Homakov provided one report where he was actually able to chain together several smaller, lower severity security issues," said Davenport, "and ultimately turn it into something that was a very critical issue. That's definitely one that comes to mind."
Bug bounty outsourcing benefits
When preparing to launch GitHub's program, Davenport said that his contacts at companies running successful bug bounties like the one run by Mozilla all gave him one piece of advice, which turned out to be true: expect the first few weeks to be a nightmare.
Davenport said that's because many organizations are unprepared for the "tidal wave of submissions" -- all of which need to be assessed for validity -- that will come during those opening weeks. Fortunately GitHub had enough quality developers to keep up, said Davenport, but organizations that are light on security staff may struggle to deal with the surge of vulnerabilities requiring investigation.
"While it was busy, we were able to keep up and kind of deal with that initial influx," said Davenport. "But if you're a smaller company and don't necessarily have the resources to triage all those reports, I think you'll have a hard time."
Indeed, Davenport said vulnerability triage is perhaps the greatest value provided by the growing number of third-party bug bounty program management firms, which seek to help enterprises create and manage bounty programs easily and efficiently.
Casey Ellis, CEO of third-party bug bounty vendor Bugcrowd in San Francisco, agreed with Davenport's assessment, noting that the security community is great at finding vulnerabilities, but less efficient in fixing them.
Ellis said Bugcrowd provides its customers with infrastructure for collecting vulnerability submissions, but that a majority of those using the firm's services choose to pay for triage services -- meaning the customer's security team outsources the process of verifying the validity and scope of submissions.
To further reduce the initial noise ratio, Ellis said Bugcrowd customers can also narrow the scope of the submissions allowed based on the quality of researchers -- a metric derived from the quantity and validity of the submissions previously made by a researcher to various Bugcrowd-run programs.
"What customers get is a qualified list of issues that they need to go and fix," said Ellis, who noted that some enterprises choose to open up their bug bounties to the world immediately instead of ramping them up slowly. "What you're basically doing with a bug bounty program is turning on a fire hose for the security community around the world. [Enterprises] basically end up getting a little swamped under the load."
Katie Moussouris, chief policy officer for San Francisco-based third-party bug bounty vendor HackerOne and the founder of Microsoft's bug bounty program, said that some companies struggle with the quantity of vulnerability they receive after launching a bug bounty program, but the quality and severity of the bugs can be just as problematic.
Moussouris -- whose firm also offers bounty triage and scoping services -- indicated that the monetary rewards on offers may drive greater interest from researchers, and as such companies that aren't initially prepared for an influx of submissions that require immediate fixes can choose to reduce scope of the program, either through lowering the rewards or limiting the researchers allowed to submit.
Before taking such measures though, Moussouris said that companies should realize why they are starting a bug bounty in the first place.
"Yes, reducing a program's scope might be a way to help manage those reports," said Moussouris, "but it's not necessarily going to help them find as many security vulnerabilities as possible."
Most companies seeking the services of a third-party bug bounty facilitator do so for the triage support, Moussouris said, but another pain point that most organizations need help overcoming is establishing the payment infrastructure for submissions. For example, Moussouris said that HackerOne will handle all administrative, tax, regulatory and compliance issues with international payments.
Davenport noted that GitHub's inability to process payments via any method other than PayPal has caused a few minor niggles for researchers and that payment infrastructure is one of the few areas where GitHub's in-house bug bounty program needs to improve. Moussouris said it's a common problem.
"I actually managed Microsoft's vulnerability reward program, and I can tell you that setting up that infrastructure to pay people around the world for their disclosures was not straightforward, even for a giant corporation," said Moussouris. "So having that part of it taken out of the equation is definitely a big help when organizations are looking to outsource their bug bounty programs."
All the experts that spoke with SearchSecurity touted the benefits of outsourcing bug bounties, but noted that some companies might be best served going the in-house route.
Indeed, Ellis said that for every account BugCrowd closes, there is another potential customer that either chooses to launch an in-house program or foregoes bug bounties altogether. Most of the hesitation on the part of clients comes from assessing the risk involved with such programs, according to Ellis, as companies don't always want outsiders poking through their code. As a counterpoint, he advises organizations to consider that attackers will be poking at their code regardless of whether a bug bounty system is in place, but encouraging white hat hackers to find any vulnerabilities in a timely manner will give the bad guys fewer flaws to target.
Moussouris said that the response teams in place at some organizations feel that they are in the best position to determine the validity of a vulnerability submission, including whether it falls within the scope outlined by a bug bounty, the severity of the vulnerability and ultimately the payout that a submission deserves.
For the most part though, bug bounty outsourcing represents an opportunity for companies that generally wouldn't have the means to operate a program to do so.
"It's a really great trend in the industry," said Davenport, "and so just looking at incentivizing researchers and creating a more continuous cycle of security assessment, I think any company can benefit from that."