Skip links
A wanted poster with bug bounty reward.

Bug Bounty Program: Is It Right for You?

Blog Post

Bug Bounty Program: Is It Right for You?

Popular shows like The Fifth Estate and The Italian Job have shown the dark side of cybersecurity. But few people ever talk about the lighter side of hacking, or how hackers can actually help businesses improve their processes.

Bug bounty programs are an opportunity to resolve bugs when your team can’t find the issue or doesn’t have time to invest in resolving it. You can put a “bounty” on any potential problems with your software, and ethical hackers can sign up to locate and resolve bugs in exchange for a reward.

We recently sat down with Ryan Black, CISO of Origami Risk, to talk more about bug bounty programs. Here’s what we’ve learned.

Who Benefits from Bug Bounty Programs? 

There are plenty of people in the world who know how to hack but would never steal data or extort others. These are the same people who pulled alarm clocks apart as kids just to see if they could put them together again; they like poking holes in things and finding solutions. These are the people you work with when you implement a bug bounty program.

Bug bounty programs work for companies that want to test their website or cloud network for vulnerabilities. These initiatives work best in conjunction with a well-staffed, mature IT team.

Alternatively, if an organization is not quite ready for a bug bounty program, or otherwise has an immature product security function, Black cautions it actually could do more harm than good.

Deciding whether a bug bounty program is right for you

Bug bounty programs work only if you can address bugs once they’ve been found. This means you need a team that’s capable of addressing security issues. You also need a budget for paying for bounties, a system in place for rating the importance of issues as they come in, and enough time to dedicate to the problems as they come in.

How Do You Implement a Bug Bounty Program? 

Getting a bug bounty program off the ground isn’t hard, but it does take a careful analysis of what you need. You also need to have the discipline to pay only for necessary work. Bounty hunters might find a dozen bugs on your site, but if you already knew about those bugs, they don’t do you any good. There’s a balance to strike between building rapport with researchers by providing appropriate rewards and the diminished value of depleting your budget to known issues. In other words, if multiple ethical hackers locate the same bug, you don’t want to pay all of them for duplicate information. Instead, include a disclosure with your bug bounty program that states you’re paying only for high-impact bugs that you were not aware of.

Knowing what to test

Before you hire ethical hackers, you need to know what vulnerabilities you want them to test for. Black suggests starting with your highest-risk issues first.

He also suggests rewarding hackers for their results, not their perceived efforts: “If someone clicks a button and steals all your clients’ data, that’s a big deal. It’s not important if your development or security team thinks it was difficult or not.”

Given these team members often have a role in triage or payment, they may tend to take this position if the discovery of this “easy fix” was not their own.

Overcoming objections on your team

It’s scary to learn that there will be hackers targeting your data. With so much negative information out there about hackers, it’s no wonder that there might be objections on your team.

One of the best ways to approach this is to have the facts at your fingertips before you propose setting up a bug bounty program. Know stats on the cost of security breaches and the general ROI for bug bounty programs and propose a system for managing your bug bounty program. Whether you are self-managed or using one of the many platforms, with supporting services like BugCrowd to triage projects, have a full proposal in place when working with your team.

Dealing with unsolicited vulnerability reports

Occasionally, someone will come to you with information about a cybersecurity issue, even though you never hired them to find that issue. Good faith reports of vulnerabilities can be very helpful when managed carefully. This can be done by providing a responsible disclosure page and instructions using safe harbor standards, such as Disclose.io.

And while you may not be able to pay for every white-coat hacker’s discovery, learning to work with ethical hackers with the skill set to break into your database, but the internal drive to do good, can bolster your business and improve your cybersecurity while you pay only for the services you need.

 

The bottom line

If your company objectively finds value in a submission, it needs to be accountable for paying the rewards/bounties they solicited for the work. No wide subjective discretion should exist internally as it is effectively a contract agreement with independent contractors.

Black’s advice? “Pique those folks’ interest, engage with them, and reward them appropriately. You may even want to hire them.”

Implementing a bug bounty program lets you augment your security program with many talented eyes to protect your customers.

By setting clear expectations and parameters for both the researchers and your organization, (e.g., good-faith submissions, do not steal data, but also “touch the code, pay the bug”) ethical hackers can poke holes in your system and find vulnerabilities before they become security issues down the road.

 

Want to learn more from experienced security leaders like Ryan? Join the conversation at the Blue Lava Community.

A wanted poster with bug bounty reward.