SAN FRANCISCO -- Are bug bounty programs, one of the hottest buzz phrases in cybersecurity today, an enterprise's answer to vulnerability detection, or will they ultimately have a negative impact?
That was the question asked at an RSA Conference discussion last week. Panel members Casey Ellis, CEO and co-founder of Bugcrowd; Chris Evans, security researcher at Google; and Nate Jones, technical program manager at Facebook, all weighed in on the oftentimes controversial subject.
On one hand, Jones said, bug bounty programs are cost effective; organizations are paying for legitimate results rather than paying for regular penetration tests.
Audience members, however, remained skeptical. If employees are hacking a customer's network, one attendee asked, why shouldn't we be worried about them exploiting the vulnerability themselves?
"Do bug bounty programs increase threats?" another attendee asked. "Do they incentivize hackers?"
Someone in the crowd took to the microphone to explain that even though bug bounties exist, not all hackers necessarily go looking for bugs; they often happen upon vulnerabilities and report them, pocketing a little cash for doing a good deed.
Evans said he doesn't believe it creates any more incentive than already exists. "Say your company has an asset to protect," Evans said. "It is, kind of by default, running a bug bounty program already."
But are all hackers good?
Audience member and HackerOne Chief Policy Officer Katie Moussouris commented that some hackers do choose the color of their "hat" per bug. If they can't get their preferred "vehicle," she said, they may pursue an alternate incentive.
Ellis added that the stigma surrounding hackers isn't 100% true 100% of the time, noting many people think money is the driver of all hacker activity. Sure, hackers have the ability to cause harm, Ellis said, but many truly want to be part of the greater good.
Do bug bounty programs really help?
So, will bug bounties see a cobra effect -- that is, will the attempt to solve the problem actually make it worse? Will people create vulnerabilities to report them, exploiting the whole basis of the bug bounty system?
The possibility is there, Evans said, but that's where the responsibility of the enterprise comes in. After finding a bug, organizations should do root-cause analysis, find out where the bug came from, who was accountable, how it exploited their system, where the code failed and, ultimately, patch the problem to ensure it won't happen again. After this, Evans continued, it is important to assess whether the bug bounty program is having an impact on exploitation rate.
Ellis added that bug bounty programs aren't meant to be a sole security strategy; enterprises should be looking to prevent bugs and build security into their software to prevent the problems in the first place.
Bug bounties: Here to stay
At the end of the hour, it became clear that bug bounties will be around for a while.
Evans said bug bounty programs are "pioneers that have blazed a trail" toward improved cybersecurity.
Jones mentioned that bug bounties are not only helping incentivize people to report security vulnerabilities in a responsible manner, but they also remove the trepidation many researchers have about reporting issues.
"The amount of global enthusiasm is great," Jones added. "We've taken a topic that used to make researchers fearful -- 'Am I going to get prosecuted? Is something else bad going to happen?' -- to the point now where we can have a much more open dialog."
Learn more about Adobe's twist on bug bounty programs -- bugs with no bounty