The IT skills gap has become a cybersecurity risk in its own right. As the security talent shortage increases, many organizations are considering alternatives to traditional hiring, including bug bounty programs, which offer formalized rewards for third-party disclosure of vulnerabilities.

These programs aren’t new: Web browser vendor Netscape launched one of the first bug bounty programs in 1995 when it offered cash rewards to users who discovered security flaws in Netscape Navigator 2.0. While the concept is nearly 25 years old — and familiar to many security leaders — adoption remains relatively low.

What common challenges do organizations encounter when rolling out bug bounty initiatives? How can they overcome these obstacles to maximize their return and soften the impact of the security talent shortage?

Bug Bounties Are No Silver Bullet for Security

Even the most outspoken proponents of bug bounty programs recognize that application vulnerability programs do not constitute a silver bullet solution to close the cybersecurity talent gap. As Katie Moussouris, a subject matter expert and MIT Sloan School of Management visiting scholar, stated in her presentation at the 2018 RSA Conference, bug bounty programs have created perverse incentives for extortion.

However, there’s almost certainly a role for application vulnerability disclosure programs, and the right approach to these initiatives could help solve talent woes. The success of such a program depends on its maturity level, including capacity planning and triage labor for disclosed vulnerabilities.

A 2018 global survey from bug bounty platform HackerOne revealed vital insights into the motivations and demographics of 1,698 self-identified white-hat hackers, who make up the majority of bug bounty hunters around the world. Surprisingly, the survey found that most white hats are more interested in satisfying their curiosity and developing their hacking skills than earning money for their efforts. Roughly 15 percent of respondents cited a desire to learn new techniques, while 14 percent said they participate in vulnerability disclosure programs to challenge themselves.

The money can still be a significant draw for top security talent in global markets. According to the survey, top ethical hackers based in India out-earn median software engineers by 16 times. Top researchers worldwide, meanwhile, earn 2.7 times more than typical software engineers. While 37 percent of ethical hackers identify as hobbyists, many find the pursuit lucrative — with 12 percent earning at least $20,000 per year.

Perhaps the most important takeaway from this research is ethical hackers’ desire to share their findings. Nearly one in four reported failing to disclose a vulnerability because they were unable to find a formal channel for reporting, while 13 percent said they participate in ethical hacking merely because they like a particular brand.

Deriving Value From Bug Bounty Programs

Bug bounties are big business, but many organizations have failed to derive much value from these initiatives. According to Moussouris’ RSA Conference presentation, the security vulnerability program at one major tech company receives 200,000 reports each year. The majority of reported vulnerabilities sent through this channel are related to cross-site scripting (XSS). For organizations with mismanaged vulnerability programs and poor triage processes, bug bounty programs could present a unique drain on resources.

“Capacity planning [and] maturity is the right way forward,” Moussouris noted. In her presentation, she encouraged organizations to create success road maps for vulnerability disclosure — and asserted that it’s time to consider the difference between “paying for bugs versus actually becoming more secure.”

Moussouris also had other suggestions for organizations:

  • Understand the majority of bug bounty flaws and prioritize fixing these vulnerabilities internally.
  • Avoid “low-hanging fruit” security flaws that cause the majority of data breaches, such as insecure S3 buckets.
  • Understand that bug bounty programs are not a path to comprehensive security.
  • Avoid compensating bug bounty hunters better than employees to protect morale.

Standardizing Vulnerability Disclosure

With over two decades of bug bounty history to draw from, enterprises hoping to adopt or refine their application vulnerability disclosure programs have plenty of best practices, models and guidelines to reference. As organizations work toward standardized methodologies for vulnerability identification, triage and patching around bug bounty programs, the adoption of standardized methodologies for vulnerability disclosure and handling is critical.

For vulnerability disclosure, ISO 29147 offers a unified framework for identifying internal and external flaws. This framework can help organizations organize and scale reporting; assign risk and impact; and triage vulnerabilities based on risk. ISO 30111, meanwhile, provides standardized guidelines for vulnerability handling, including responding to and resolving identified flaws.

Bug bounties are not a replacement for third-party penetration testing. While thousands of security researchers around the globe self-identify as white-hat hackers, individuals who participate in vulnerability disclosure programs are motivated by myriad factors — ranging from financial gain to pure curiosity.

Moussouris encouraged organizations to consider behavioral economics principles in establishing bug bounty rates to attract the right contributions. Avoiding overcompensating bounty-hunters can protect employee morale — while internally practicing good security hygiene can attract talented researchers and contributions.

Making a Dent in the Security Talent Shortage

There’s a place for bug bounty programs within a comprehensive security framework. Third-party researchers can discover security vulnerabilities that were missed by internal and external testing processes. Organizations with carefully structured programs can maximize the latent talent in the white-hat hacker force by carefully managing incentives.

Perhaps more importantly, creating large bounties and tough problems — while managing simple vulnerabilities internally — can enable organizations to leverage vulnerability disclosure programs as a viable tool for recruiting top talent.

Bug bounty programs are unlikely to solve the security talent shortage completely, and they’re certainly no replacement for comprehensive security testing and internal vulnerability identification and handling processes. However, organizations can benefit significantly from formalized channels for vulnerability disclosure by understanding these programs’ relative strengths and weaknesses.

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…