Gareth O’Sullivan, EMEA Director of Solutions Architecture at WhiteHat Security discusses how bug bounty incentives can be used to effectively complement a business’s existing security strategy.
Crowd sourcing is not just a buzzword. Already an attractive option for a variety of consumer applications, it is now catching on in the corporate world as well. One emerging category of crowd sourcing is bug bounty programmes; rewards offered by organisations to security researchers, who receive recognition and compensation for finding and reporting bugs, exploits and vulnerabilities in the organisations’ websites and applications.
As a technology company or security professional, it’s easy to see the attraction of running bug bounty programmes. But these programmes are not without risk, and timing can be a critical factor. Unless they are managed carefully, bug bounty programmes can come with serious consequences for your overall security posture.
What is a bug bounty programme?
Bug bounty programmes have been around since the mid-to-late 1990s, but the number of organisations offering them were fewer than a couple of dozen until just a few years ago, when some large companies like Facebook, Google, Microsoft, and Yahoo launched very high profile programmes.
They now come in all shapes and sizes, with some applying to back-end software, some to customer-facing websites and applications, and some to hardware. They are most predominantly found in the high-tech industry, but recently they’ve been appearing in sectors such as retail, social media, gaming, finance and travel.
Programmes can be managed in one of two ways: Organisations can take a “do-it-yourself” approach, or they front-end it with a bug bounty broker. Brokers will create and manage bug bounty programmes on behalf of their customers.
Do-it-yourself bug bounty programmes are resource-intensive to run, and they involve a process that is very hard to automate. They also take a lot of time and money to do well, which is why only the largest social networking, e-commerce, and software companies are running their own programmes.
When does it make sense to implement a programme?
A bug bounty programme can be a great complement to your existing application security initiatives to add extra eyes to your one or two most business-critical applications. Running a bounty programme can help to encourage goodwill in the hacker community, turning that community into a sort of “neighbourhood watch” for the company and its products.
For most organisations, adding a bug bounty programme to the mix comes at a stage when existing app security programmes are on the mature spectrum, where very few vulnerabilities are produced and they are being fixed as quickly as they are reported.
Proper risk assessment is critical
Today, as organisations consider their overall security posture, one of the biggest concerns is over who has access to what, when it comes to vulnerability testing. With much of the testing taking place on source code and behind firewalls, understanding who has access, where the testing will take place, and where the vulnerability data will be stored are all critical considerations.
In a bug bounty model, organisations have very little visibility or control over these considerations. Most security researchers are working privately and there is certainly no way to keep tabs on them. There have been cases in the news recently, in which bug bounty hunters have gone far beyond what the organisations expect of them and have accessed sensitive data that the organisations didn’t want to share publicly.
Bug bounty hunters may also try out unexpected testing methodologies and techniques to probe your websites and may end up compromising the security of your secondary systems or inadvertently accessing the source code of your web applications stored on SVN servers.
Furthermore, there is no way of ensuring that your entire application has been combed through diligently to find all the vulnerabilities. Since most of the bug bounty hunters work independently, you have no idea what areas of the websites have been assessed and what haven’t, so you can never truly know what your security posture is.
Start the programme small
Many large and small organisations realise the value of bounty programmes vis-à-vis access to skill sets and scalability, but they have also recognised that they can be difficult to control from a budget perspective. If you’re considering a bug bounty programme, there are a few important steps that need to be taken.
The first step involves running a time-bound, closed, and confidential bounty programme before opening things up to a larger crowd of participating bug hunters. Apple recently announced that it was holding an invitation-only bounty programme. The invitation-only approach enables Apple to ensure it engages with vetted researchers who are interested in working with them to find and disclose security problems within what are most likely as-yet unreleased software builds.
In a scaled-down programme, a small and elite team from a bounty hunter pool should be allowed to test a select number of applications and websites over a short period of time – usually two to four weeks. Following this test, which establishes trust in the process, the bug bounty programme can then be opened up to the world at large.
Hack yourself first
Security-conscious organisations have been interested in bug bounty programmes for years, and many have been keeping a close eye on how these programmes are evolving – specifically, where they can and should fit in their security mix, and the economics associated with this. Using a dual-pronged approach of a comprehensive security programme plus a bug bounty programme, you should be able to have the most effective security strategy at the right times. This will safeguard your digital assets and help you beat hackers at their own game.
Edited for web by Jordan Platt