Conference Coverage

Browse Sections
This content is part of the Conference Coverage: RSA Conference 2015 special coverage: News, analysis and video
News Stay informed about the latest enterprise technology news and product updates.

Despite benefits, skepticism surrounds bug bounty programs

Some people think bug bounty programs are the answers to vulnerability woes, yet others remain skeptical of the negative impacts they present. RSA Conference panelists discussed both sides of one of today's hottest and most controversial IT topics.

SAN FRANCISCO -- Are bug bounty programs, one of the hottest buzz phrases in cybersecurity today, an enterprise's answer to vulnerability detection, or will they ultimately have a negative impact?

That was the question asked at an RSA Conference discussion last week. Panel members Casey Ellis, CEO and co-founder of Bugcrowd; Chris Evans, security researcher at Google; and Nate Jones, technical program manager at Facebook, all weighed in on the oftentimes controversial subject.

On one hand, Jones said, bug bounty programs are cost effective; organizations are paying for legitimate results rather than paying for regular penetration tests.

Audience members, however, remained skeptical. If employees are hacking a customer's network, one attendee asked, why shouldn't we be worried about them exploiting the vulnerability themselves?

The purpose of a bug bounty program is to kill the bugs, Ellis said. A certain level of trust must be assumed when creating a bug bounty program or outsourcing to a bug bounty provider.

"Do bug bounty programs increase threats?" another attendee asked. "Do they incentivize hackers?"

Someone in the crowd took to the microphone to explain that even though bug bounties exist, not all hackers necessarily go looking for bugs; they often happen upon vulnerabilities and report them, pocketing a little cash for doing a good deed.

Evans said he doesn't believe it creates any more incentive than already exists. "Say your company has an asset to protect," Evans said. "It is, kind of by default, running a bug bounty program already."

But are all hackers good?

Audience member and HackerOne Chief Policy Officer Katie Moussouris commented that some hackers do choose the color of their "hat" per bug. If they can't get their preferred "vehicle," she said, they may pursue an alternate incentive.

Ellis added that the stigma surrounding hackers isn't 100% true 100% of the time, noting many people think money is the driver of all hacker activity. Sure, hackers have the ability to cause harm, Ellis said, but many truly want to be part of the greater good.

Do bug bounty programs really help?

So, will bug bounties see a cobra effect -- that is, will the attempt to solve the problem actually make it worse? Will people create vulnerabilities to report them, exploiting the whole basis of the bug bounty system?

The possibility is there, Evans said, but that's where the responsibility of the enterprise comes in. After finding a bug, organizations should do root-cause analysis, find out where the bug came from, who was accountable, how it exploited their system, where the code failed and, ultimately, patch the problem to ensure it won't happen again. After this, Evans continued, it is important to assess whether the bug bounty program is having an impact on exploitation rate.

Ellis added that bug bounty programs aren't meant to be a sole security strategy; enterprises should be looking to prevent bugs and build security into their software to prevent the problems in the first place.

Bug bounties: Here to stay

At the end of the hour, it became clear that bug bounties will be around for a while.

Evans said bug bounty programs are "pioneers that have blazed a trail" toward improved cybersecurity.

Jones mentioned that bug bounties are not only helping incentivize people to report security vulnerabilities in a responsible manner, but they also remove the trepidation many researchers have about reporting issues.

"The amount of global enthusiasm is great," Jones added. "We've taken a topic that used to make researchers fearful -- 'Am I going to get prosecuted? Is something else bad going to happen?' -- to the point now where we can have a much more open dialog."

Next Steps

Learn more about Adobe's twist on bug bounty programs -- bugs with no bounty

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How do you view bug bounty programs? Will they ultimately cause a cobra effect?
In general, I think providing these incentives is a good thing - but because people are fundamentally self-interested, the cobra effect is a real issue that organizations need to be wary off. 
I’m not so sure that bug bounties will cause a cobra-effect so much that they can muddy the waters will small, rather inconsequential bugs instead of the vulnerability issues hoped for. bug bounties, unless strictly scoped and controlled, often turn out to be an instantiation of Goodhart’s law - When a measure becomes a target, it ceases to be a good measure. This can be easily seen in the pay-by-the-bug models used by companies such as Applause, where most people testing try to find and report more simple, easy bugs rather than spending the time to find the bugs that the customers are really wanting found.
My company doesn't have a "bug bounty" program, and I have never participated in one, but it seems like a pretty good idea to me. 

It does incentivize hackers, but only if they're reporting their findings. I'm not aware of any cases of hackers getting into a system and exploiting it (such as stealing data, etc) for their own gain. 
I've found many bugs in "alleged" bug bounty programs. But most, including Google, are selective about if they pay out. It even says in the fine print that if you find a serious threat they aren't required to pay out.
Many programmers, myself included, find it far more profitable to just sell the exploit, rather then have a company not even say thank you.
Plus many companys don't care about their customers privacy. It's just simply cheaper for them to settle a lawsuit then pay someone to monitor their systems. And a majority of hacking that goes on isn't reported by the company to the investors or the customers.
Ever wonder why you never hear of Google getting hacked? It's not because it doesn't happen, it because they aren't required to report it, read the fine print of Google Terms and Conditions.
Thats the reason they don't work. Companys are greedy and just dont care about their customers. I don't blame them for not caring, if you are that stupid to use a product without being aware that you signed your rights away then you kind of deserve to be taken advantage of
And I dont know where you got the information from about "many hackers wanting to be part of the greater good". But that is totally incorrect. If you don't pay me for finding a exploit then I, and a majority of programmers, will sell it.
It's a job, we make money doing it.

What you are essentially saying is a structural engineer should design a building for a very wealthy individual and not expect to get payed for it or even a thank you.
Money is a driving factor for all of us
@abuell what are you talking about? There are so many instances of hackers stealing data for their own gain.
Recently there was: Sony, Anthem, Target, Home Depot. Those happened in the last 8 months