Bug bounty programs have quickly gained steam as a way for companies to defend software interests without overspending on internal IT staffers. The premise is simple: Offer money or other compensation in exchange for well-documented, repeatable bug discoveries that are reported directly to enterprises instead of being shopped around underground markets. Businesses like Google, Dropbox and even Instagram have used these bounties to great effect, but for the moment, independent and vendor-sponsored bounties still dominate the market.

According to Threatpost, however, a new tool designed by HackerOne has emerged as the first step for companies looking to take charge of their own IT security by creating an in-house bug program. Here’s a quick overview.

Is Your Organization Ready?

Called the Vulnerability Coordination Maturity Model, HackerOne’s free assessment tool lets companies “determine where shortcomings may exist in areas such as executive support, communicating with customers and the industry, and incentives, before turning to established ISO standards.” In effect, the five-minute survey is designed to provide a rough baseline of corporate readiness to implement a bug bounty program — before companies start spending on infrastructure and integration.

As noted by Katie Moussouris of HackerOne, the complexity of software vulnerabilities in a cloud- and mobile-enabled world means that wanting a bounty program isn’t enough. “CSOs need to figure out if they’re prepared to receive vulnerability reports from the outside,” she told Threatpost. By providing determinations of basic, advanced or expert in each of the five top-level capabilities needed for an effective program, the HackerOne tool gives CSOs the concrete starting point required to effectively direct IT spend. For example, businesses can make sure they’re not overpaying for new vulnerabilities or unable to determine the root cause of specific bugs before going live.

Cost/Benefit of a Bug Bounty Program

But is the HackerOne tool — or a similar assessment — really necessary? Isn’t it possible for companies to simply task in-house IT with mimicking the structure of existing bounty programs and then handling any issues that emerge on a case-by-case basis? As noted by Data Center Journal, this isn’t a good idea for several reasons.

First is the influx of bug reports that come along with any new program. If made lucrative enough, both security pros and gifted amateurs will flood corporate gates with report after report — and not all these reports will contain useful information. Some will contain known vulnerabilities or variations on a theme, while others will mistake complex features or app functions for security holes. There’s also the problem of fishy reports or finders who claim they’ve discovered devastating bugs but want big money before they turn over the details. It never pays to wind up in this kind of standoff situation.

Enterprises also need to consider the competition. According to Engadget, security firm Zerodium is now offering a $1 million bounty for iOS 9 zero-day exploits. This isn’t a benevolent act to spare Apple and iOS 9 users the damage done by determined attackers. Instead, the firm would share exploit details with its clients to be used (and abused) as they see fit. Some experts argue that going to the affected company first is the morally upstanding choice, while others say that since Apple and other big names don’t pay out anything for bounties, it’s their own problem. For businesses new to world of bug bounties, it’s a wake-up call. This is a cutthroat, winner-take-all endeavor.

Here’s how it all shakes out: Software deployments are rapidly becoming both complex and quick to evolve, even for midsize companies and smaller enterprises. The result? It’s time to consider implementing a bug bounty program, but getting it right out of the gate is critical. Start with tools like HackerOne’s assessment offering and build from there — the bugs will come crawling.

More from

Detecting Insider Threats: Leverage User Behavior Analytics

3 min read - Employees often play an unwitting role in many security incidents, from accidental data breaches to intentional malicious attacks. Unfortunately, most organizations don’t have the right protocols and processes to identify potential risks posed by their workforce. Based on a survey conducted by SANS Institute, 35% of respondents said they lack visibility into insider threats, while 30% said the inability to audit user access is a security blind spot in their organizations. In addition, the 2023 X-Force Threat Intelligence Index reported that…

3 min read

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Increasingly Sophisticated Cyberattacks Target Healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

4 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read