The IT skills gap has become a cybersecurity risk in its own right. As the security talent shortage increases, many organizations are considering alternatives to traditional hiring, including bug bounty programs, which offer formalized rewards for third-party disclosure of vulnerabilities.
These programs aren’t new: Web browser vendor Netscape launched one of the first bug bounty programs in 1995 when it offered cash rewards to users who discovered security flaws in Netscape Navigator 2.0. While the concept is nearly 25 years old — and familiar to many security leaders — adoption remains relatively low.
What common challenges do organizations encounter when rolling out bug bounty initiatives? How can they overcome these obstacles to maximize their return and soften the impact of the security talent shortage?
Bug Bounties Are No Silver Bullet for Security
Even the most outspoken proponents of bug bounty programs recognize that application vulnerability programs do not constitute a silver bullet solution to close the cybersecurity talent gap. As Katie Moussouris, a subject matter expert and MIT Sloan School of Management visiting scholar, stated in her presentation at the 2018 RSA Conference, bug bounty programs have created perverse incentives for extortion.
However, there’s almost certainly a role for application vulnerability disclosure programs, and the right approach to these initiatives could help solve talent woes. The success of such a program depends on its maturity level, including capacity planning and triage labor for disclosed vulnerabilities.
A 2018 global survey from bug bounty platform HackerOne revealed vital insights into the motivations and demographics of 1,698 self-identified white-hat hackers, who make up the majority of bug bounty hunters around the world. Surprisingly, the survey found that most white hats are more interested in satisfying their curiosity and developing their hacking skills than earning money for their efforts. Roughly 15 percent of respondents cited a desire to learn new techniques, while 14 percent said they participate in vulnerability disclosure programs to challenge themselves.
The money can still be a significant draw for top security talent in global markets. According to the survey, top ethical hackers based in India out-earn median software engineers by 16 times. Top researchers worldwide, meanwhile, earn 2.7 times more than typical software engineers. While 37 percent of ethical hackers identify as hobbyists, many find the pursuit lucrative — with 12 percent earning at least $20,000 per year.
Perhaps the most important takeaway from this research is ethical hackers’ desire to share their findings. Nearly one in four reported failing to disclose a vulnerability because they were unable to find a formal channel for reporting, while 13 percent said they participate in ethical hacking merely because they like a particular brand.
Deriving Value From Bug Bounty Programs
Bug bounties are big business, but many organizations have failed to derive much value from these initiatives. According to Moussouris’ RSA Conference presentation, the security vulnerability program at one major tech company receives 200,000 reports each year. The majority of reported vulnerabilities sent through this channel are related to cross-site scripting (XSS). For organizations with mismanaged vulnerability programs and poor triage processes, bug bounty programs could present a unique drain on resources.
“Capacity planning [and] maturity is the right way forward,” Moussouris noted. In her presentation, she encouraged organizations to create success road maps for vulnerability disclosure — and asserted that it’s time to consider the difference between “paying for bugs versus actually becoming more secure.”
Moussouris also had other suggestions for organizations:
- Understand the majority of bug bounty flaws and prioritize fixing these vulnerabilities internally.
- Avoid “low-hanging fruit” security flaws that cause the majority of data breaches, such as insecure S3 buckets.
- Understand that bug bounty programs are not a path to comprehensive security.
- Avoid compensating bug bounty hunters better than employees to protect morale.
Standardizing Vulnerability Disclosure
With over two decades of bug bounty history to draw from, enterprises hoping to adopt or refine their application vulnerability disclosure programs have plenty of best practices, models and guidelines to reference. As organizations work toward standardized methodologies for vulnerability identification, triage and patching around bug bounty programs, the adoption of standardized methodologies for vulnerability disclosure and handling is critical.
For vulnerability disclosure, ISO 29147 offers a unified framework for identifying internal and external flaws. This framework can help organizations organize and scale reporting; assign risk and impact; and triage vulnerabilities based on risk. ISO 30111, meanwhile, provides standardized guidelines for vulnerability handling, including responding to and resolving identified flaws.
Bug bounties are not a replacement for third-party penetration testing. While thousands of security researchers around the globe self-identify as white-hat hackers, individuals who participate in vulnerability disclosure programs are motivated by myriad factors — ranging from financial gain to pure curiosity.
Moussouris encouraged organizations to consider behavioral economics principles in establishing bug bounty rates to attract the right contributions. Avoiding overcompensating bounty-hunters can protect employee morale — while internally practicing good security hygiene can attract talented researchers and contributions.
Making a Dent in the Security Talent Shortage
There’s a place for bug bounty programs within a comprehensive security framework. Third-party researchers can discover security vulnerabilities that were missed by internal and external testing processes. Organizations with carefully structured programs can maximize the latent talent in the white-hat hacker force by carefully managing incentives.
Perhaps more importantly, creating large bounties and tough problems — while managing simple vulnerabilities internally — can enable organizations to leverage vulnerability disclosure programs as a viable tool for recruiting top talent.
Bug bounty programs are unlikely to solve the security talent shortage completely, and they’re certainly no replacement for comprehensive security testing and internal vulnerability identification and handling processes. However, organizations can benefit significantly from formalized channels for vulnerability disclosure by understanding these programs’ relative strengths and weaknesses.