June 14, 2018 By Jasmine Henry 4 min read

The IT skills gap has become a cybersecurity risk in its own right. As the security talent shortage increases, many organizations are considering alternatives to traditional hiring, including bug bounty programs, which offer formalized rewards for third-party disclosure of vulnerabilities.

These programs aren’t new: Web browser vendor Netscape launched one of the first bug bounty programs in 1995 when it offered cash rewards to users who discovered security flaws in Netscape Navigator 2.0. While the concept is nearly 25 years old — and familiar to many security leaders — adoption remains relatively low.

What common challenges do organizations encounter when rolling out bug bounty initiatives? How can they overcome these obstacles to maximize their return and soften the impact of the security talent shortage?

Bug Bounties Are No Silver Bullet for Security

Even the most outspoken proponents of bug bounty programs recognize that application vulnerability programs do not constitute a silver bullet solution to close the cybersecurity talent gap. As Katie Moussouris, a subject matter expert and MIT Sloan School of Management visiting scholar, stated in her presentation at the 2018 RSA Conference, bug bounty programs have created perverse incentives for extortion.

However, there’s almost certainly a role for application vulnerability disclosure programs, and the right approach to these initiatives could help solve talent woes. The success of such a program depends on its maturity level, including capacity planning and triage labor for disclosed vulnerabilities.

A 2018 global survey from bug bounty platform HackerOne revealed vital insights into the motivations and demographics of 1,698 self-identified white-hat hackers, who make up the majority of bug bounty hunters around the world. Surprisingly, the survey found that most white hats are more interested in satisfying their curiosity and developing their hacking skills than earning money for their efforts. Roughly 15 percent of respondents cited a desire to learn new techniques, while 14 percent said they participate in vulnerability disclosure programs to challenge themselves.

The money can still be a significant draw for top security talent in global markets. According to the survey, top ethical hackers based in India out-earn median software engineers by 16 times. Top researchers worldwide, meanwhile, earn 2.7 times more than typical software engineers. While 37 percent of ethical hackers identify as hobbyists, many find the pursuit lucrative — with 12 percent earning at least $20,000 per year.

Perhaps the most important takeaway from this research is ethical hackers’ desire to share their findings. Nearly one in four reported failing to disclose a vulnerability because they were unable to find a formal channel for reporting, while 13 percent said they participate in ethical hacking merely because they like a particular brand.

Deriving Value From Bug Bounty Programs

Bug bounties are big business, but many organizations have failed to derive much value from these initiatives. According to Moussouris’ RSA Conference presentation, the security vulnerability program at one major tech company receives 200,000 reports each year. The majority of reported vulnerabilities sent through this channel are related to cross-site scripting (XSS). For organizations with mismanaged vulnerability programs and poor triage processes, bug bounty programs could present a unique drain on resources.

“Capacity planning [and] maturity is the right way forward,” Moussouris noted. In her presentation, she encouraged organizations to create success road maps for vulnerability disclosure — and asserted that it’s time to consider the difference between “paying for bugs versus actually becoming more secure.”

Moussouris also had other suggestions for organizations:

  • Understand the majority of bug bounty flaws and prioritize fixing these vulnerabilities internally.
  • Avoid “low-hanging fruit” security flaws that cause the majority of data breaches, such as insecure S3 buckets.
  • Understand that bug bounty programs are not a path to comprehensive security.
  • Avoid compensating bug bounty hunters better than employees to protect morale.

Standardizing Vulnerability Disclosure

With over two decades of bug bounty history to draw from, enterprises hoping to adopt or refine their application vulnerability disclosure programs have plenty of best practices, models and guidelines to reference. As organizations work toward standardized methodologies for vulnerability identification, triage and patching around bug bounty programs, the adoption of standardized methodologies for vulnerability disclosure and handling is critical.

For vulnerability disclosure, ISO 29147 offers a unified framework for identifying internal and external flaws. This framework can help organizations organize and scale reporting; assign risk and impact; and triage vulnerabilities based on risk. ISO 30111, meanwhile, provides standardized guidelines for vulnerability handling, including responding to and resolving identified flaws.

Bug bounties are not a replacement for third-party penetration testing. While thousands of security researchers around the globe self-identify as white-hat hackers, individuals who participate in vulnerability disclosure programs are motivated by myriad factors — ranging from financial gain to pure curiosity.

Moussouris encouraged organizations to consider behavioral economics principles in establishing bug bounty rates to attract the right contributions. Avoiding overcompensating bounty-hunters can protect employee morale — while internally practicing good security hygiene can attract talented researchers and contributions.

Making a Dent in the Security Talent Shortage

There’s a place for bug bounty programs within a comprehensive security framework. Third-party researchers can discover security vulnerabilities that were missed by internal and external testing processes. Organizations with carefully structured programs can maximize the latent talent in the white-hat hacker force by carefully managing incentives.

Perhaps more importantly, creating large bounties and tough problems — while managing simple vulnerabilities internally — can enable organizations to leverage vulnerability disclosure programs as a viable tool for recruiting top talent.

Bug bounty programs are unlikely to solve the security talent shortage completely, and they’re certainly no replacement for comprehensive security testing and internal vulnerability identification and handling processes. However, organizations can benefit significantly from formalized channels for vulnerability disclosure by understanding these programs’ relative strengths and weaknesses.

More from Application Security

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

Mapping attacks on generative AI to business impact

5 min read - In recent months, we’ve seen government and business leaders put an increased focus on securing AI models. If generative AI is the next big platform to transform the services and functions on which society as a whole depends, ensuring that technology is trusted and secure must be businesses’ top priority. While generative AI adoption is in its nascent stages, we must establish effective strategies to secure it from the onset. The IBM Institute for Business Value found that despite 64%…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today