You are here

Why every organization needs a bug bounty program

public://pictures/evgenia.jpg
Evgenia Broshevan, Evangelist, HackenProof

New data-driven businesses are mushrooming, organizations across industries are embracing technological advancements, and cybercriminals are getting more sophisticated. Cybercrime rates are growing, and with further growth of such crimes expected

Despite the astonishing number of cybercrime categories, however, the perception of risk per se seems to be the heart of the problem. Being entranced by digital tech, too many companies estimate the cost of being a victim to be low, and readily accept the risk. Many people see data breaches as a cost of doing business.

In October 2018, HackenProof held an onsite bug bounty marathon called HackenCup. The event gathered 25 talented hackers from around the world to search for vulnerabilities in three products. The ride-sharing service Uklon was one of them.

The team of ethical hackers found four major vulnerabilities that could lead to a vast array of serious issues. By the end of the day, the hackers submitted 74 reports, which both shocked and excited Uklon’s founder.

Uklon is not alone in discovering the benefits of bug bounty programs. After the Marriott hack, Hyatt Hotels launched its bug bounty program. Here's why your organization should get proactive with bug bounties.

[ Understand what's driving the next-generation SOC with TechBeacon's guide. Plus: Download ESG's report on the state of cloud-based security analytics and operations ]

Bug bounty: Advantages and challenges

You might remember the story of Frank Abagnale, probably the most talented fraudster in history, who ended up helping the FBI and other law enforcement agencies uncover fraudulent schemes. The idea is to fight fire with fire: Abagnale knows the psychology of criminals and their "craft" better than anyone.

This is what a bug bounty program is about: Ethical hackers help businesses detect vulnerabilities before the bad guys beat them to it. In other words, running a bug bounty program is getting ahead of the game by being proactive and predictive. A bug bounty is an alternative way to detect software and configuration errors that can slip past developers and security teams, and later lead to big problems.

But it's important not to over rely on bug bounty programs. Since these programs are incremental, they don't eliminate the necessity of securing software development system scans or testing.

Unlike traditional penetration testing services that generate a culture of fear and meeting compliance requirements, bug bounties are about creating a culture of openness, transparency, and responsibility. Even if your company doesn't offer bug bounties, you need to establish a vulnerability disclosure policy as soon as possible. 

Another term for this is responsible disclosure policy: A legal statement stating that your company won't prosecute ethical hackers who detect vulnerabilities in your products. Startups and young organizations that haven't adopted such policies are missing out.

Consider bug bounties carefully

A bug bounty program is a valuable tool if you use it carefully. To avoid legal problems and risk to your company's reputation, you must be thoughtful about how you design and implement these programs.

Before diving into the program, consider what network components and data you should include—in other words, define the scope of the bounty program. You must have unquestionable clarity about the authorized conduct framework, and you must decide what proof you'll require to confirm a hack and how people should share that information.

Since a bounty program is about trust and transparency, your organization must be open about how it will pay for vulnerability detection.

Obviously, companies differ in information types, contractual or other obligations, and legal requirements, so it's important to create rules and comply with them. Don't compromise on that. Otherwise, you'll have a high chance of ending up in an unfavorable negotiating position or becoming susceptible to legal or other risks.

[ Explore TechBeacon's guide to SecOps challenges and opportunities. Plus: Download the 2019 State of Security Operations report. ]

A walk through the process

Consider the BPP's lifecycle:

Bug bounty brief

Once a company has chosen a bounty program and platform, it creates a brief that describes the rules of researcher engagement. It provides detailed information about the company, what to look for and what not to look for, pricing level, and specific rules for hackers.

Program launch

Publish the brief on a bounty page. Then conduct marketing activities to attract ethical hackers to your program.

Start of the program

Next security testing begins as hackers work on your software, detect the bugs, and report them. Their reports should reveal how to exploit the detected vulnerabilities, and be submitted through your site.

Triage team stage

Your bug bounty platform must include an in-house cybersecurity triage team. These high-profile specialists can verify reported bugs and define what level of security the organization needs. 

Fixing the bugs

After your company receives a report detailing a bug and how to fix it, the researcher who found it should receive a payment, along with reputation points on the platform.

A bug bounty success story

You can judge the effectiveness of your bounty program by how many successful cases a platform has. Kuna is a case in point.

Kuna, the first public crypto exchange, launched the development of basic infrastructure for innovative financial teсh projects, both in Ukraine and in foreign markets. Mindful of the recent security breach at Coincheck, Kuna decided to secure its reputation by creating a bounty program. 

Its software contained several logical errors, realization errors, and vulnerabilities in third-party components that the crypto exchange uses. It also suffered from XSS-type vulnerabilities, which can lead to serious issues. These vulnerabilities could have resulted in account theft or the manipulations of users' account balances. If not for the bounty program, the Kuna crypto exchange might have suffered losses in the tens of thousands of dollars—several times greater than the cost of its bounty program.

Getting started: Assessment

Every business has to weigh the pros and cons, and decide for itself whether a bounty program is the next step, so start with a self-assessment. Diving into bug bounty thoughtlessly and launching a program without thinking it through can do more harm than good.

Bug bounties are effective when used thoughtfully and professionally. Bug bounty frameworks are complex and multi-layered, so choose the right platform for you. And with the rise of new technologies, the approaches of hackers evolve, too.

For cyberspace to be safe, your countermeasures must correspond to the scope of the problem; reacting to cybercrimes after the fact is not enough. New breaches are in the news every day, and some of the victims include some of the largest businesses. Bug bounties are one way to help your business avoid the headlines.

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]