View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. What Is
March 15, 2017

Bug Bounties Explained

Researchers from Open Bug Bounty tackle bug bounties in this latest installment of CBR's Tech Express.

By Ellie Burns

EB: What is a bug bounty?

In general, a bug bounty enables external security researchers to report bugs and vulnerabilities for a certain reward or public recognition.

 

EB: How to bug bounties work?

The first bug bounty programmes were open to all volunteers/researchers. Today, so-called private bounties often select researchers by skills, nationality or other criteria. This approach may seem to be attractive at the first glance, but many skilled and trusted penetration testers will not accept working for next to nothing, as they may not get paid if someone else reports the same flaw few seconds before. They are different approaches, such as the Open Bug Bounty, where any website owner and web security researcher are connected if a vulnerability is found.

 

EB: Why would a business turn to bug bounties?

Not every business needs to use a bounty programme. A bug bounty, just like any other security solution, should be part of a larger security testing strategy, proportional to the tested system, the company’s risk appetite and testing objectives. Mainly large companies, running systems designed to be used by large unfiltered audiences stand to benefit more from bounties. Crowd security testing, if implemented correctly, can bring a lot of valuable ideas from security researchers that would otherwise remain unheard.bug bounties explained

EB: What is the business benefit of running a bug bounty program?

Large companies can validate the quality of work carried out by professional cybersecurity companies on their behalf, and get an additional layer of assurance that the quantity of undetected vulnerabilities stays within a reasonable minimum.

 

Content from our partners
How to turn the evidence hackers leave behind against them
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer
EB: What would be your top tips to a company looking to start a bug bounty program?

First of all, analyse if you really need to run the bounty – if it’s appropriate for your risk appetite and infrastructure. Today bounties remind us of the peak of the dotcom boom, similar to early 2000, when companies claimed that heuristic AV analysis will kill viruses and solve the problems of hacking. Otherwise, before starting a bounty, make sure you have enough human resources to handle all the submissions – researchers who are ignored can get angry pretty quickly, and you need to assure fast response to every submission.

Also, make sure that all other security solutions, such as WAF, are properly implemented and managed – otherwise you will be overpaying the researchers for exposing trivial vulnerabilities. Last, but not least, develop a media communication strategy in case of an incident – many companies start bounties, fail for a reason, and then realize that they do not have an emergency plan once an unhappy researcher speaks about their inability to manage cybersecurity.

 

Topics in this article:
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU