A bug bounty programme is a colloquial term for a vulnerability disclosure programme. It is the process in which an organisation incentivises external security researchers, or even members of the public, to discover and disclose vulnerabilities found in corporate systems, applications, or data. In return for reporting a vulnerability, the outsider will receive a bounty – such as a financial reward or discount code – subject to the terms of the bug bounty programme.
While bug bounty programmes aren’t new, they are indeed becoming more prevalent and encouraged. In fact, in the National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework, a clause promotes bug bounties. It recommends organisations put in place processes to “receive, analyse, and respond to vulnerabilities disclosed to the organisation from external sources.”
Why should organisations consider bug bounty programmes?
Security vulnerabilities are commonplace in corporate software products, applications, webpages and systems. Moreover, organisations often tailor the functionality of the systems they use by adding code. Every time this happens, new weaknesses may be generated. Be it a design flaw, misconfiguration or unpatched software, threat actors will attempt to exploit any nature of a bug.
While third-party penetration testing is an excellent tool to find and fix such security weaknesses, it is usually only done annually or after a major system update. It is typically also highly focused and time-limited. For a detailed overview of this topic, read our guide to penetration testing.
A bug bounty programme can complement your existing vulnerability management process. In the gaps between penetration tests, this crowdsourced model invites security researchers to report bugs and issues, so you can keep on top of weaknesses in your systems – before a malicious entity discovers and exploits them.
There are two main types of bug bounty programmes: public and private.
Public: A public programme invites anyone to participate, subject to the rules of the programme. Anyone who signs up to the programme or operates within the defined rules of the programme (if sign up isn’t required) is eligible for the bounty when reporting a vulnerability within the agreed scope. These kinds of programmes enable many bug bounty hunters to take part, which has the potential benefit of more feedback and exposure. See, for example, details of the Facebook bug bounty programme here.
Private: A private programme is an invite-only programme, where you choose specific, reputable researchers to engage. These researchers should have a high level of expertise. However, they will likely also expect a higher level of compensation. Private bug bounty programmes are a good fit for organisations that are wary of exposing their systems or applications to the outside world or who handle very sensitive information that would have a detrimental impact if exposed. An example of a private programme is the Ministry of Defence’s 30-day challenge run during 2021.
The pros of bug bounty programmes
Bug bounty programmes can be an extremely cost-effective way to manage vulnerabilities. This is because you only pay for results, as opposed to the time spent. It’s only when a security researcher hands over a legitimate exposure that you need to think of payment. Moreover, running a public bug bounty programme demonstrates a level of security awareness and commitment to your customers and partners. This, in turn, can boost confidence.
Bug bounty programmes, at their core, are about reducing the likelihood of a successful cyber breach. Organisations can improve their security posture by enabling security researchers to find these bugs before malicious actors do. It’s a tactic that has proved popular, with Facebook, Google, Reddit and Microsoft all running regular bug bounty programmes that offer financial rewards.
However, it’s not only Big Tech players that run bug bounties. Increasingly, small and medium enterprises, and the public sector, have started to recognise the benefits of bug bounty programmes. For example, in the US, the Pentagon’s bug bounty programme has proved a success. In a little over the five years it’s run, researchers have submitted more than 29,000 vulnerability reports. More than 70% were determined to be valid, according to the US Department of Defence.
The cons of bug bounty programmes
The challenge for many companies regarding bug bounty programmes comes down to two factors: budget and complexity. For example, in 2020, Microsoft’s Bug Bounty programme saw more than 340 researchers awarded $13.6M. The scale of this programme takes much time, coordination and financial backing.
Bug bounty programmes can also be a controversial subject – particularly in cases where a security researcher has found and reported a bug to a company that does not have an official programme. This creates potential legal issues, as the threat hunter could be seen to be extorting the target rather than acting for good.
Issues have also arisen regarding the ethics of these programmes. As a recent CREST report on bug bounties noted, companies and security researchers don’t have binding contractual relationships. There is always the risk that a security researcher could ‘turn to the dark side’ and choose to sell the vulnerabilities they discover on the black market, or even double bluff their client and ask for payment as well as sell the information on the dark web.
This links to another issue surrounding bug bounty programmes today: trust. Bug bounty programmes, after all, invite people to exploit your systems and applications. For companies setting up their first programme, building trust is essential – which is why many companies turn to third-party bug bounty platforms. These act as a middleman between their clients and the bug bounty hunters.
Making bug bounties work for your business
While you might automatically associate bug bounties with large financial rewards, this doesn’t have to be the case. There are many ways to scale bug bounty programmes up and down to fit your organisation’s specific requirements and expectations. Moreover, you don’t have to offer financial rewards.
Before embarking on a bug bounty programme, it’s essential to set the limits of what you are willing to offer as a reward and, if it is financial, exactly how much. As we’ve mentioned, your bug bounty programme does not need to provide thousands of pounds in rewards.
Many bug bounty hunters participate in these programmes for career development, kudos and even as a hobby – almost like gaming. Indeed, vulnerability researchers have wide and varied backgrounds. Some do make their full time living from bug bounty hunting. However, others are junior researchers who want to build up their skills and bolster their CVs – and a recommendation from your company for finding a vulnerability could be all the payment they are seeking.
Then there are those bug bounty hunters who are looking for a challenge. They enjoy honing their skills and testing their capabilities. In line with this, many third-party bug bounty platforms have created leader board systems that gamify the hunting experience. This makes the achievement of successfully finding bugs more than enough payment for some.
But that doesn’t mean you should ask security researchers to work for free. After all, bug bounty hunting takes time and effort. Depending on the products or solutions you sell, you could offer unique types of rewards, such as discount codes, physical prizes, coupons that can be redeemed elsewhere or even a part-time job role. For example, United Airlines offers frequent flyer miles to bug bounty hunters as a reward.
Ultimately, the prize offered should be equivalent to the severity of the vulnerability discovered and the time and effort the researcher has spent. If the compensation offered is deemed unfair, you could end up receiving negative backlash. For example, in 2013, Yahoo had to change its bug bounty policies after it offered t-shirts to bug bounty hunters for successfully finding some critical vulnerabilities. The offer created a negative media frenzy, which damaged the reputation of Yahoo’s programme.
As we’ve briefly touched on, many companies opt to run their bug bounty programmes through a third-party platform. The other option is to run the programme yourself in-house. Both avenues have pros and cons.
By running a programme in-house, you can maintain robust control and tailor it precisely to your requirements. However, in-house management also requires a lot of time, expertise and budget, meaning it is not always a realistic option for small and medium-sized enterprises.
On the other hand, third-party platforms bring the expertise to the table for you. Some even offer the capabilities to triage disclosed vulnerabilities for you as a fully managed service. At the same time, though, popular platforms are often heavily subscribed to, meaning your company may find itself competing for exposure against others.
If you are unsure of which option to go for, an excellent place to start is by setting up a vulnerability disclosure process. This will allow security researchers, or even the public, to contact you should they find a weakness in your systems. We recommend reading the National Cyber Security Centre’s advice on vulnerability disclosures as a start.
Ultimately, bug bounty programmes can be a solid addition to your vulnerability management process, complemented by penetration testing and regular vulnerability scanning.
evalian® has experienced and qualified cyber security consultants to help you with any nature of cyber security problem you face. Contact us to find out more.