September 24, 2015 By Douglas Bonderud 3 min read

Bug bounty programs have quickly gained steam as a way for companies to defend software interests without overspending on internal IT staffers. The premise is simple: Offer money or other compensation in exchange for well-documented, repeatable bug discoveries that are reported directly to enterprises instead of being shopped around underground markets. Businesses like Google, Dropbox and even Instagram have used these bounties to great effect, but for the moment, independent and vendor-sponsored bounties still dominate the market.

According to Threatpost, however, a new tool designed by HackerOne has emerged as the first step for companies looking to take charge of their own IT security by creating an in-house bug program. Here’s a quick overview.

Is Your Organization Ready?

Called the Vulnerability Coordination Maturity Model, HackerOne’s free assessment tool lets companies “determine where shortcomings may exist in areas such as executive support, communicating with customers and the industry, and incentives, before turning to established ISO standards.” In effect, the five-minute survey is designed to provide a rough baseline of corporate readiness to implement a bug bounty program — before companies start spending on infrastructure and integration.

As noted by Katie Moussouris of HackerOne, the complexity of software vulnerabilities in a cloud- and mobile-enabled world means that wanting a bounty program isn’t enough. “CSOs need to figure out if they’re prepared to receive vulnerability reports from the outside,” she told Threatpost. By providing determinations of basic, advanced or expert in each of the five top-level capabilities needed for an effective program, the HackerOne tool gives CSOs the concrete starting point required to effectively direct IT spend. For example, businesses can make sure they’re not overpaying for new vulnerabilities or unable to determine the root cause of specific bugs before going live.

Cost/Benefit of a Bug Bounty Program

But is the HackerOne tool — or a similar assessment — really necessary? Isn’t it possible for companies to simply task in-house IT with mimicking the structure of existing bounty programs and then handling any issues that emerge on a case-by-case basis? As noted by Data Center Journal, this isn’t a good idea for several reasons.

First is the influx of bug reports that come along with any new program. If made lucrative enough, both security pros and gifted amateurs will flood corporate gates with report after report — and not all these reports will contain useful information. Some will contain known vulnerabilities or variations on a theme, while others will mistake complex features or app functions for security holes. There’s also the problem of fishy reports or finders who claim they’ve discovered devastating bugs but want big money before they turn over the details. It never pays to wind up in this kind of standoff situation.

Enterprises also need to consider the competition. According to Engadget, security firm Zerodium is now offering a $1 million bounty for iOS 9 zero-day exploits. This isn’t a benevolent act to spare Apple and iOS 9 users the damage done by determined attackers. Instead, the firm would share exploit details with its clients to be used (and abused) as they see fit. Some experts argue that going to the affected company first is the morally upstanding choice, while others say that since Apple and other big names don’t pay out anything for bounties, it’s their own problem. For businesses new to world of bug bounties, it’s a wake-up call. This is a cutthroat, winner-take-all endeavor.

Here’s how it all shakes out: Software deployments are rapidly becoming both complex and quick to evolve, even for midsize companies and smaller enterprises. The result? It’s time to consider implementing a bug bounty program, but getting it right out of the gate is critical. Start with tools like HackerOne’s assessment offering and build from there — the bugs will come crawling.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today