A Bug Bounty Program is an organized service where companies can have their websites or applications tested by freelance hackers. These freelancers look for vulnerabilities and give the hiring companies detailed instruction on how to fix those vulnerabilities in return for monetary compensation and points towards their ranking, depending on the platform that the program is running on. Bug Bounties have been around for many years and are used by some of the biggest companies in the world such as Facebook, Google, Apple and Paypal. They are the exact opposite of a bad concept in security known as “Security through obscurity”(STO), this means relying on the secrecy of a security engineering design or implementation as the main method of protecting that system. While STO can have some benefits, it’s not something that you can expect to maintain for an entire website or application that is public facing. If it’s on the internet, its weaknesses will be found in time. Bug bounty programs take a proactive approach to this by inviting people to look at your system, find the vulnerabilities and report the bugs to you before anyone with bad intentions has a chance to exploit them. Many companies run the program before going live to fix any outstanding security issues before releasing their product.
You get multiple opinions: Bug Bounties posted on big platforms can get tens or hundreds of researchers working on it at a time. This is good for you as an owner because you have more eyes looking for weaknesses, more people with different skill sets and techniques and researchers with different levels of experience. This means they are more likely to find something interesting compared to hiring one consultant to perform the assessment for you.
Relatively Cheap: A good consultant can charge anything from $100-$500 an hour and some will charge even more than that! But, bug bounty programs can be significantly cheaper. Some bug bounty programs are free and only reward ranking points, which improves the researchers ranking on the hosting platforms website. This is common for non-profit organizations or charities that don’t have big budgets and people won’t mind helping them out because they know it’s going to a good cause. If you’re a bigger company and want to get the best you can pay something like $50-$5000 per bounty, depending on the type of vulnerability that they find. It’s up to you how much you pay, but the more money you put in, the more effort people will put into hacking your platform.
Scalable: If you pay a company to do an assessment you will usually have to agree to a price upfront, which means regardless of what is found and the severity of what is found you have to pay. With bug bounties this isn’t the case, if a researcher doesn’t report anything you don’t pay them anything, you don’t pay for duplicates of the same bug and depending on how important the vulnerability is you can decide how much you pay them. You directly pay for what you get. However, it’s important you don’t exploit this rule because if you get a reputation for not paying or underpaying, people will not want to invest their time in looking for bugs on your applications.
You make the rules: Another good feature of bug bounty programs is your ability to create the parameters of the tests. You’re able to specify what areas of the application are off limits, how far you want them to take the test (stop when they find a vulnerability or try to exploit it and see how bad it really is), specify the dates of the test, rule out certain types of vulnerabilities and more. It offers you a great amount of customization. While you can do this in a traditional penetration test, the process is more tedious. First, is the procurement process where you find the company, get statements of work (SOWs), negotiate price and all of the other procurement steps. Next, once you’ve decided on someone you need to create legal contracts and have them signed. Then you must sign the tester’s legal contracts that protect them in the event something goes wrong. Throughout these steps there’s revisions, edits and negotiations that will take place. Bug Bounty platforms simplify this process and eliminate that legal and procurement overhead.
Types of Bug Bounty Programs:
Public: A public bug bounty program is one that is posted on a public platform and anyone that signs up on that platform can engage in the program. This is good if you want maximum feedback and exposure and you’re not looking to hide anything on your application. It can also be a bit more cost effective than a private bug bounty program because you’re not bringing in specialists who expect to be compensated at a higher rate.
Private: A private bug bounty program is when you select specific researchers, usually who have very good reputations and you have vetted to engage in a bug bounty program. This will not be open to the public and will be invite only. The advantage here is that it will have a higher level of expertise and you are minimizing the amount of overall exposure your application or website has to the outside world. As mentioned above security through obscurity isn’t a be all and end all solution, but the less hackers that know about your product the better and this is what a private bug bounty will help you to do. However, because you’re bringing in experts and all of the vetting that you need to do beforehand you can expect these to be more expensive and time consuming to organize than a public bug bounty program.
Popular Bug Bounty Platforms
BugCrowd Bug Bounty Platform
BugCrowd: Bugcrowd was found in 2011 and is one of the biggest crowdsourced security platforms. It has one the largest and most comprehensive bug bounty programs and is a great place to consider posting your application or website for testing. Some notable companies that have used this platform include HP, Indeed and Motorola.
HackerOne Bug Bounty Platform
HackerOne: This is another major player when it comes to bug bounties, hackerOne is arguably the biggest platform, in constant competition with bugcrowd for the spot of number 1. Some of the big companies that have used HackerOne include Starbucks, Nintendo, Paypal and Goldman Sachs.
Conclusion: Bug Bounty programs offer a great way to crowdsource security work. You can have the expertise of tens or hundreds of security researchers while only paying a fraction of the cost it would take to recruit them all individually. There are clear benefits to having so many people looking at your product. You can become aware of vulnerabilities long before someone with bad intentions gets a chance to use them and depending on the type of bug bounty program you choose you can limit the amount of people that are aware of your application to a select group of researchers. These programs are not only beneficial to small companies but large companies such as Facebook have used bug bounty programs to improve their overall security and many companies would greatly benefit from implementing a similar approach.