Bug bounty programmes are becoming increasingly popular in both the public and private sector. They allow companies to leverage the hacker community to discover and report vulnerabilities and bugs in websites and software in return for compensation.
See below FAQs from Evalian, the data protection and cyber security specialists, to help you decide if they might be useful for you.
What is a bug bounty programme?
Otherwise known as a vulnerability disclosure programme. It is a crowdsourced model used by organisations to incentivise external security researchers, or even members of the public, to discover and disclose vulnerabilities found in systems, applications, and/or data. In return for reporting a vulnerability, they will receive a bounty – such as a financial reward or discount code – subject to the terms of the programme.
While bug bounty programmes aren’t new, they are becoming more prevalent. In fact they’re promoted in the National Institute of Standards and Technology’s Cybersecurity Framework, which recommends organisations put in place processes to “receive, analyse, and respond to vulnerabilities disclosed to the organisation from external sources.”
What is the difference between public and private bug bounty programmes?
Public: A public programme invites anyone to participate, subject to the rules of the programme. Anyone who signs up to the programme or operates within the rules (if sign up isn’t required) is eligible for the bounty when reporting a vulnerability within the agreed scope. These kinds of programmes enable many bug bounty hunters to take part, which has the potential benefit of more feedback and exposure. See, for example, the Facebook bug bounty programme here.
Private: A private programme is invite-only, where you choose specific, reputable researchers to engage. These researchers should have a high level of expertise. However, they will likely also expect a higher level of compensation. Private programmes are a good fit for organisations that are wary of exposing their systems or applications to the outside world, or those that handle sensitive information that would have a detrimental impact if exposed. An example is the Ministry of Defence’s 30-day challenge run during 2021.
Why should you consider a bug bounty programme?
Security vulnerabilities are commonplace in software, applications, webpages and systems. And, as organisations tailor functionality of systems by adding code, new weaknesses may be generated. Be it a design flaw, misconfiguration or unpatched software, ‘threat actors’ may attempt to exploit it.
While third-party penetration testing is an excellent tool to find and fix security weaknesses, it is usually only done annually or after a major system update. It is typically also highly focused and time-limited. For a detailed overview read Evalian’s guide to penetration testing.
A bug bounty programme can complement existing vulnerability management processes in the gaps between penetration tests so you can keep on top of weaknesses in systems before a malicious entity discovers and exploits them.
The pros of bug bounty programmes
- A cost-effective way to manage vulnerabilities, because you pay for results, not for the time spent looking for them.
- They demonstrate a level of security awareness and commitment to your customers and partners, which can boost confidence.
- They reduce the likelihood of a successful cyber breach.
- They have proved popular with Facebook, Google, Reddit and Microsoft, as well as smaller enterprises and the public sector. In the 5+ years that the Pentagon’s bug bounty programme has been running, researchers have submitted more than 29,000 vulnerability reports. More than 70% were determined to be valid, according to the US Department of Defence.
The cons of bug bounty programmes
- The challenge for many is budget and complexity. For example, in 2020, Microsoft’s Bug Bounty programme saw more than 340 researchers awarded $13.6M. The scale of this programme takes much time, coordination and financial backing.
- They can be controversial, particularly where a bug is reported to a company that does not have an official programme, as the threat hunter could be seen to be extorting the target rather than acting for good.
- Issues have arisen regarding the ethics of these programmes. As a recent CREST report on bug bounties noted, companies and security researchers often don’t have binding contractual relationships. And even if they do there is a risk that a security researcher could ‘turn to the dark side’ and choose to sell the vulnerabilities they discover on the black market, or even double bluff the company by asking for payment as well as selling the information on the dark web.
- This links to another issue: trust. Bug bounty programmes, after all, invite people to exploit your systems and applications. For companies setting up their first programme, building trust is essential – which is why many companies turn to third-party bug bounty platforms. These act as an intermediary between companies and the bug bounty hunters.
Making bug bounties work for your business
While you might automatically associate bug bounties with large financial rewards, this doesn’t have to be the case. There are many ways to scale bug bounty programmes up and down to fit your organisation’s specific requirements and expectations. Moreover, you don’t have to offer financial rewards.
Before embarking on a bug bounty programme, it’s essential to set the limits of what you are willing to offer as a reward and, if it is financial, exactly how much. Your bug bounty programme does not need to provide thousands of pounds in rewards.
Many bug bounty hunters participate in these programmes for career development, kudos and even as a hobby – almost like gaming. Indeed, vulnerability researchers often have wide and varied backgrounds. Some make their full time living from bug bounty hunting. However, others are junior researchers who want to build up their skills and bolster their CVs – and a recommendation from your company for finding a vulnerability could be all the payment they are seeking.
Then there are those bug bounty hunters who are looking for a challenge. They enjoy honing their skills and testing their capabilities. In line with this, many third-party bug bounty platforms have created leader board systems that gamify the hunting experience. This makes the achievement of successfully finding bugs more than enough payment for some.
But that doesn’t mean you should ask security researchers to work for free. After all, bug bounty hunting takes time and effort. Depending on the products or solutions you sell, you could offer unique types of rewards, such as discount codes, prizes, coupons that can be redeemed elsewhere or even a part-time job. For example, United Airlines offers frequent flyer miles to bug bounty hunters as a reward.
Ultimately, the prize offered should be equivalent to the severity of the vulnerability discovered and the time and effort the researcher has spent. If the compensation offered is deemed unfair, you could end up receiving negative backlash. For example, in 2013, Yahoo had to change its bug bounty policies after it offered t-shirts to bug bounty hunters for successfully finding some critical vulnerabilities. The offer created a negative media frenzy, which damaged the reputation of Yahoo’s programme.
If you’re considering a bug bounty programme a good place to start is by setting up a vulnerability disclosure process. This will allow security researchers, or even the public, to contact you should they find a weakness in your systems. Evalian also recommend reading the National Cyber Security Centre’s advice on vulnerability disclosures as a start. Ultimately, bug bounty programmes can be a solid addition to your vulnerability management process, complemented by penetration testing and regular vulnerability scanning. You can contact Evalian on hello@evalian.co.uk if you want to discuss your options with them in more detail.
And if you need help pulling together your terms and conditions for your Bug Bounty Programme please get in touch with us on info@legaledge.co.uk
