EB: What is a bug bounty?
In general, a bug bounty enables external security researchers to report bugs and vulnerabilities for a certain reward or public recognition.
EB: How to bug bounties work?
The first bug bounty programmes were open to all volunteers/researchers. Today, so-called private bounties often select researchers by skills, nationality or other criteria. This approach may seem to be attractive at the first glance, but many skilled and trusted penetration testers will not accept working for next to nothing, as they may not get paid if someone else reports the same flaw few seconds before. They are different approaches, such as the Open Bug Bounty, where any website owner and web security researcher are connected if a vulnerability is found.
EB: Why would a business turn to bug bounties?
Not every business needs to use a bounty programme. A bug bounty, just like any other security solution, should be part of a larger security testing strategy, proportional to the tested system, the company’s risk appetite and testing objectives. Mainly large companies, running systems designed to be used by large unfiltered audiences stand to benefit more from bounties. Crowd security testing, if implemented correctly, can bring a lot of valuable ideas from security researchers that would otherwise remain unheard.
EB: What is the business benefit of running a bug bounty program?
Large companies can validate the quality of work carried out by professional cybersecurity companies on their behalf, and get an additional layer of assurance that the quantity of undetected vulnerabilities stays within a reasonable minimum.
EB: What would be your top tips to a company looking to start a bug bounty program?
First of all, analyse if you really need to run the bounty – if it’s appropriate for your risk appetite and infrastructure. Today bounties remind us of the peak of the dotcom boom, similar to early 2000, when companies claimed that heuristic AV analysis will kill viruses and solve the problems of hacking. Otherwise, before starting a bounty, make sure you have enough human resources to handle all the submissions – researchers who are ignored can get angry pretty quickly, and you need to assure fast response to every submission.
Also, make sure that all other security solutions, such as WAF, are properly implemented and managed – otherwise you will be overpaying the researchers for exposing trivial vulnerabilities. Last, but not least, develop a media communication strategy in case of an incident – many companies start bounties, fail for a reason, and then realize that they do not have an emergency plan once an unhappy researcher speaks about their inability to manage cybersecurity.