Are Bug Bounty Programs Worth It?

October 12, 2020
| |
6 min read

Bug bounty programs are on the rise, and participating security researchers earned big bucks as a result.

According to a report released by HackerOne in February 2020, hackers had collectively earned approximately $40 million from those programs in 2019. This amount is nearly equal to the bounty totals hackers received for all preceding years combined.

In “Hacker-Powered Security Report 2019,” HackerOne revealed that the number of these hacker-powered security initiatives had grown by at least 30% in each of the regions surveyed. Latin America led the way with a year-over-year growth rate of 41%. It was followed by North America, Europe, the Middle East and Africa region at 34%, 32% and 30%, respectively.

Clearly, more organizations are rewarding their hackers with larger bug bounty amounts than ever before. But to what extent are organizations benefiting from these payouts? And, are these programs actually worth the effort?

What Is a Bug Bounty Program?

A bug bounty program is an initiative through which an organization sanctions security researchers to search for vulnerabilities and other weaknesses on its public-facing digital systems. Some of these programs are private insofar as security researchers must receive an invitation in order to participate. Other initiatives are public frameworks where anyone can apply.

Bug bounty programs work by organizations laying out a set of terms and conditions for eligible offensive security testers. These rules specify which domains and services sit within the scope of the program. The rules also explain the types of security issues for which an organization is willing to offer a reward and delineate the bounty amounts a security researcher can expect to receive for each eligible bug report.

In order to receive an award, hackers must submit a proof of concept (POC) along with their report to the organization. That entity’s personnel will then work with the researcher to develop a fix for the issue, roll it out to its user base and reward the researcher for the work. If the hacker fails to follow responsible disclosure by sharing their report with anyone other than the organization, they likely will not receive any award and could face a monetary or legal penalty.

What Are the Benefits of Bug Bounties?

Organizations can use a bug bounty program as a proactive approach to their security efforts. These initiatives enable organizations to seek and plug vulnerabilities before attackers have a chance to exploit them. In the absence of this type of effort, organizations largely relegate themselves to a reactionary stance in which they sit and wait for an attack to emerge before they fix the underlying weakness.

Such an approach can be costly in terms of time and money. In the 2020 Cost of a Data Breach Report, the Ponemon Institute found that it took an average of 280 days for an organization to detect a security incident. This dwell time gave attackers ample opportunity to move laterally throughout the network and prey upon their target’s most critical assets. It’s, therefore, no wonder that the global cost of a data breach averaged $4 million in 2020.

Penetration Tests vs. Bug Bounties 

Creating a bug bounty program can save organizations money. But a vulnerability research initiative isn’t the only tool available for realizing a proactive approach to security. Organizations could choose to consult with an external company for the purpose of conducting penetration tests. They might select this option to specifically draw upon the experience of a reputable company instead of inviting hackers they don’t know to poke around their systems.

Penetration testing operates in a different framework from a bug bounty program. A SANS Institute white paper notes that typically, a few penetration testers receive payment to work over an agreed-upon period of time. Penetration testers’ predefined methodology is designed to cover the entire breadth of the project scope.

Bug bounty programs don’t have limits on time or personnel. And, anyone who participates can use whatever methodology or tools they want as long as they don’t violate the program’s terms and conditions. Even more significantly, hackers get paid through a bug bounty program only if they report valid vulnerabilities no one has uncovered before. This gives participating researchers an incentive to spend their time digging for novel issues, which means in-scope systems could receive more depth of coverage under a bug bounty program than a standard penetration test.

Aside from these benefits, bug bounty programs carry another major benefit: helping to deter malicious activity. TechBeacon notes that testers are curious and want to measure what they know against apps, websites, game consoles and other technology. Some of these individuals might want to make some money in the process. As a result, organizations can work to actively partner with these interested parties and give them a legitimate way to flex their knowledge and begin to build a career as a security researcher.

So, everyone wins … right?

Potential Drawbacks of a Bug Bounty Program

Not necessarily.

Sometimes, it really depends on how a bug bounty program takes shape. For instance, a company should seek input from the legal department when crafting a program. The last thing an organization wants is a weak set of terms and conditions through which a participating offensive security tester could stray (inadvertently or intentionally) and target out-of-bounds systems. This can happen with an airtight set of terms and conditions, but an organization wants to make sure the legal threat for disobeying those rules is credible.

Then again, there are larger issues at play for an organization if they don’t see the forest through the trees. BetaNews points out not everyone who signs up with a bug bounty program actually reads the terms and conditions. This can cause legal risk to the researcher. But, it can also undermine the organization’s security. For instance, if a researcher doesn’t include a POC with their bug report, they might not get a bounty, but that doesn’t mean the vulnerability doesn’t exist. Even so, the organization might simply choose to dismiss the issue outright because the accompanying report doesn’t follow its terms and conditions. Thereby, an organization can undermine its own security in its practice.

Keeping Within Scope Of Bug Bounties

To make things run smoothly and minimize risk, each organization needs to define the scope of its bug bounty program. This process involves determining what services an organization is willing to expose to examination by individuals it doesn’t know. In doing so, a company could choose to exclude private systems that might contain their most sensitive information, such as customer data and intellectual property (data assets and systems that need the most protection).

The problem is that exclusion from a bug bounty program necessarily undermines security. Organizations prevent security researchers from examining their assets by removing certain systems from being covered. This could give malicious actors the opportunity to exploit any vulnerabilities they find in those out-of-scope systems in order to access and ultimately steal that data.

Making the Most Out of A Bug Bounty Program

Issues aside, bug bounty programs have yielded some important findings. In a 2019 report, HackerOne revealed that organizations’ vulnerability research initiatives have helped to uncover a variety of security weaknesses, such as cross-site scripting flaws, improper authentication bugs, holes allowing for information disclosure, instances of privilege escalation and other issues. More than half of those were of ‘critical’ or ‘high’ severity based upon the bounties organizations paid out.

These findings help support how bug bounty programs can be useful to organizations. It all comes down to how organizations use them. First, organizations need to resist the temptation to think that bug bounty programs — along with any other solution — are a silver bullet to their security woes.

In the absence of a more comprehensive security plan, organizations will not be able to continuously monitor their infrastructure for vulnerabilities on an ongoing basis via a bug bounty program. Nor will they be able to use a vulnerability research framework to patch those flaws like they would under a robust vulnerability management program.

One Part of a Larger Approach

To optimize the efficacy of bug bounty programs, organizations need to make their initiatives as part of a layered approach to security. Organizations can do this in part by implementing penetration tests and bug bounty programs together. Organizations can use penetration testing to detect high-risk flaws or bugs residing in changed application functionality. Bug bounties can be used as a source of continuous feedback for a larger swath of their infrastructure. Businesses can pair those two approaches together with Dynamic Application Security Testing (DAST), a method that favors the frequency of testing over depth of coverage when it comes to evaluating the security web applications and services.

Organizations need to make sure they implement bug bounty programs in a way that encourages security researchers to disclose what they find. They are competing with exploit acquisition platforms and private sellers on the dark web that could potentially agree to higher awards for bug reports. So, companies need to make sure they create a fair rewards hierarchy, adhere to this structure and be upfront with researchers in explaining why a submitted bug report warrants a certain payout.

Even more importantly, it would be in organizations’ best interest to heed the finding of a 2018 HackerOne report. The report found that a quarter of hackers didn’t disclose their vulnerability findings because they couldn’t find a formal channel for doing so. Organizations need to make it easy for security researchers to reach out. They also need to be open to researchers sharing their findings under the principles of responsible disclosure. Researchers want to share what tools and methodologies they used to find a flaw with the broader security community. Such information-sharing functions like threat intelligence. In the hands of many, these tools and methodologies can evolve and grow to protect even more organizations as new threats continue to emerge.

Bug bounty programs are a mutual relationship. With enough careful planning and consideration, they can continue to advance the security industry as a whole well into the future.

David Bisson
Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...
read more