Bug bounty programs, where independent researchers report security vulnerabilities to organizations for monetary reward, have steadily increased in popularity over the past several years with more companies, both large and small, integrating programs into their security model as well as a proliferation of dedicated services, such as HackerOne and BugCrowd, for community sourced security testing.
Moreover, bug bounty payouts, and participation, have steadily increased over the years. Google recently increased its highest payout offer to $1.5 million for an Android exploit and, in 2020, HackerOne announced that bug bounty hunters on their platform had just cumulatively earned more than $100 million.
So, why doesn't everyone participate in these programs then?
The Truth About Bug Bounty Programs
According to Katie Moussouris, founder and CEO of Luta Security, “bug bounties have been a great idea poorly executed for the last decade or so.” As a result, she says, “They're not a cost effective replacement for penetration testing."
Part of that poor execution comes from the abundance of reports. Bug bounty hunters are only paid if they report issues. So, naturally, they report a lot of issues. At first, organizations are excited to review these reports. However, as other projects arise and priorities shift, the security team often has less and less time for the program, to the point that “at about the 18-month to two-year mark they start to collapse under their own weight,” says Moussouris.
In, addition, effective bug bounty programs require very specific rules of engagement and scope to ensure that organizations can distinguish between legitimate bug hunters and malicious actors. Nevertheless, the vast majority of bug bounty participants concentrate on website vulnerabilities (72% according to HackerOne), leaving the network and wireless controls mostly untested.
Moreover, bug bounty hunters are anonymous Internet users that aren't bound by non-disclosure agreements, carefully constructed legal contracts, or even verbal commitments. This fact can also scare organizations with proprietary software and personal data, particularly protected data such as health information, from creating a program.
Finally, bug bounty programs can only be effective as part of a larger security program—not as the entire security program.
For example, if patch management and remediation efforts aren't fast and efficient, then the organization is likely to get multiple reports for the same issues over and over, frustrating both the hunters who worked hard and won't get paid and the security team who are reviewing the same reports.
So, although it was once considered the "next big thing,” bug bounty programs aren't for everyone. They are just one more part of a larger security program that can be very effective when done well, but can become a bigger problem than they solve if not. The important thing is to set appropriate expectations and plan the program carefully.
If you'd like more support in building an effective security program, please contact us to learn more about how Craft Compliance may be able to support your needs.