Bug bounties pay off: Are they right for your company?

In 2014, pro-privacy technology firm Silent Circle announced a bug bounty program that offered researchers at least $128 for any new vulnerabilities they could find in its source code. In that first year, the company awarded 71 bounties for vulnerabilities across all its products, with the average bounty far exceeding the $128 minimum.

Today, the program is still going strong, said Hamilton Turner, chief technology officer at the company. But it took time to tune the program, he said. "We did have to go through a number of iterations as a company to focus researchers on what is valuable in terms of what we wanted to put our money behind."

Silent Circle is one of at least 416 companies that recognize or compensate independent hackers for finding vulnerabilities as part of bug bounty programs, according to a list maintained by bounty-program management firm Bugcrowd. In 2017, the firm paid out $6.3 million in bounties, triple the $2.1 million it paid out the prior year. HackerOne, a rival program, paid out more than $10 million in 2017, according to a spokesperson for the firm.

Large private companies also run significant programs. Google announced that it paid out $2.3 million in 2017 in 1,200 awards. Since it started its program in 2010, the company has paid out almost $12 million in bug bounties.

While the number of vulnerabilities found through bug bounties accounts for only about 6% of the total bugs found, according to the latest report from security-information firm Risk Based Security, the number of vulnerabilities reported for bounties has increased to more than 1,200 in 2017, up from 915 the prior year, according to the report.

Companies looking to augment their security, however, should not expect to rely solely on independent hackers to vet their software for defects. Before your company institutes its own bounty program, here are five things you should know.

Application Security Research Update: The State of App Sec in 2018

1. Put the reporting infrastructure in place

If your company cannot handle even a basic bug report, then it should not be jumping into a bounty program, said Rafal Los, vice president of solution strategy for the cloud-security firm Armor.

"You have to be able to triage vulnerability reports. And, if the issue they find is bad enough, you have to be ready to handle a full-fledged incident."
Rafal Los

Vulnerability-program management firms stress that companies considering a bounty program should keep it simple. Create the infrastructure to report bugs first, and try to triage a few issues. Most companies do not even have that capability, said Adam Bacchus, director of program operations for HackerOne.

"There is no excuse for not having the means to receive a bug from the outside. But when it comes to a program, there are many other considerations as well, so start small."
Adam Bacchus

2. Get the low-hanging fruit before offering bounties

Companies should also not start a bug bounty program before they test their own security with automated scanning and basic penetration tests.

"The cool thing about bug bounty programs is that you are leveraging an army of hackers. That said, if you haven't done basic security scans, you might want to pick up [that] low-hanging fruit. If you haven't done that, you don't have an idea of what your security posture is."
—Adam Bacchus

Bacchus has encountered scenarios where an organization did not conduct any tests and then got inundated with outsiders' reports of cross-site scripting vulnerabilities. The company had to move those issues out of scope until it could run basic tests and fix the problems.

3. Be responsive

In addition to putting in the processes for reporting vulnerabilities, companies need to track issues and respond to submitters in a timely basis.

"A lot of hackers are going to be motivated by intangibles. If a company fails to be responsive with a bug bounty program, I would argue that that is probably worse than not having a bug bounty program."
Hamilton Turner

Silent Circle has assigned workers from three different business groups to watch for bug reports and to manage the process. "We have multiple people in the company that are responsible for monitoring the bug bounty program and are responding quickly and appropriately," Turner said. "All three parts of the company—product, security, and engineering—have an assigned person who watches for reported issues."

4. Keep it focused

Just as companies focus their internal security efforts on the issues about which they are most concerned, bug bounty programs need to specify clearly what issues and software are in scope. This reduces the number of issues reported and should lead to higher-quality reports.

In addition, companies should fully analyze bug reports and turn the vulnerabilities into patterns that can then be used to analyze the firm's entire codebase.

"One thing I'm seeing more and more is that companies are not just using bug bounties to play whackamole, but to do root-cause analysis and take the knowledge and build it back into our process."
—Adam Bacchus

5. Determine if a bug bounty is right for you

While more companies could use bug bounty programs to help keep their software and services more secure, the initiatives are not for everyone. Companies that lack either the infrastructure needed to handle reports or the knowledgeable staff required to triage the issues may want to consider alternatives.

"There are certainly circumstances where it won't work. If you cannot validate what people are telling you, reconsider, because you are going to get some very complicated reports."
—Rafal Los

In addition, companies that have very sensitive information need to take care how they structure their programs, he said. The Department of Defense, for example, runs a bug bounty program but limits it to certain technology and does not expose sensitive systems to researchers.

And the bug bounty program cannot come at the cost of other security efforts.

"The value of a bug bounty is additive to what you are doing today. It is not a replacement for anything. You are not going to institute a bug bounty program and then stop doing [internal] software security."
—Rafal Los

Why bug bounties are here to stay

That said, Los and other experts said that bug bounty programs—and, more broadly, vulnerability-reporting programs—are critical for any company, especially for those outside the technology industry. Vulnerability-reporting programs give researchers a channel to report security issues to the company, but without a reward.

Companies that do not have the technical wherewithal to create a bug bounty program from scratch can hire firms that help manage the process using their own platform.

While bug bounty programs alone aren't enough to secure your company's software and services, they are fast becoming a necessary part of every company's security programs, said Dan Cornell, chief technology officer for the Denim Group, a software consultancy. 

"Bug bounty platforms have provided a lot of benefit because they lower the bar for organizations that want to adopt a bug bounty."
Dan Cornell

Topics: Security