September 24, 2015 By Douglas Bonderud 3 min read

Bug bounty programs have quickly gained steam as a way for companies to defend software interests without overspending on internal IT staffers. The premise is simple: Offer money or other compensation in exchange for well-documented, repeatable bug discoveries that are reported directly to enterprises instead of being shopped around underground markets. Businesses like Google, Dropbox and even Instagram have used these bounties to great effect, but for the moment, independent and vendor-sponsored bounties still dominate the market.

According to Threatpost, however, a new tool designed by HackerOne has emerged as the first step for companies looking to take charge of their own IT security by creating an in-house bug program. Here’s a quick overview.

Is Your Organization Ready?

Called the Vulnerability Coordination Maturity Model, HackerOne’s free assessment tool lets companies “determine where shortcomings may exist in areas such as executive support, communicating with customers and the industry, and incentives, before turning to established ISO standards.” In effect, the five-minute survey is designed to provide a rough baseline of corporate readiness to implement a bug bounty program — before companies start spending on infrastructure and integration.

As noted by Katie Moussouris of HackerOne, the complexity of software vulnerabilities in a cloud- and mobile-enabled world means that wanting a bounty program isn’t enough. “CSOs need to figure out if they’re prepared to receive vulnerability reports from the outside,” she told Threatpost. By providing determinations of basic, advanced or expert in each of the five top-level capabilities needed for an effective program, the HackerOne tool gives CSOs the concrete starting point required to effectively direct IT spend. For example, businesses can make sure they’re not overpaying for new vulnerabilities or unable to determine the root cause of specific bugs before going live.

Cost/Benefit of a Bug Bounty Program

But is the HackerOne tool — or a similar assessment — really necessary? Isn’t it possible for companies to simply task in-house IT with mimicking the structure of existing bounty programs and then handling any issues that emerge on a case-by-case basis? As noted by Data Center Journal, this isn’t a good idea for several reasons.

First is the influx of bug reports that come along with any new program. If made lucrative enough, both security pros and gifted amateurs will flood corporate gates with report after report — and not all these reports will contain useful information. Some will contain known vulnerabilities or variations on a theme, while others will mistake complex features or app functions for security holes. There’s also the problem of fishy reports or finders who claim they’ve discovered devastating bugs but want big money before they turn over the details. It never pays to wind up in this kind of standoff situation.

Enterprises also need to consider the competition. According to Engadget, security firm Zerodium is now offering a $1 million bounty for iOS 9 zero-day exploits. This isn’t a benevolent act to spare Apple and iOS 9 users the damage done by determined attackers. Instead, the firm would share exploit details with its clients to be used (and abused) as they see fit. Some experts argue that going to the affected company first is the morally upstanding choice, while others say that since Apple and other big names don’t pay out anything for bounties, it’s their own problem. For businesses new to world of bug bounties, it’s a wake-up call. This is a cutthroat, winner-take-all endeavor.

Here’s how it all shakes out: Software deployments are rapidly becoming both complex and quick to evolve, even for midsize companies and smaller enterprises. The result? It’s time to consider implementing a bug bounty program, but getting it right out of the gate is critical. Start with tools like HackerOne’s assessment offering and build from there — the bugs will come crawling.

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today