September 24, 2015 By Douglas Bonderud 3 min read

Bug bounty programs have quickly gained steam as a way for companies to defend software interests without overspending on internal IT staffers. The premise is simple: Offer money or other compensation in exchange for well-documented, repeatable bug discoveries that are reported directly to enterprises instead of being shopped around underground markets. Businesses like Google, Dropbox and even Instagram have used these bounties to great effect, but for the moment, independent and vendor-sponsored bounties still dominate the market.

According to Threatpost, however, a new tool designed by HackerOne has emerged as the first step for companies looking to take charge of their own IT security by creating an in-house bug program. Here’s a quick overview.

Is Your Organization Ready?

Called the Vulnerability Coordination Maturity Model, HackerOne’s free assessment tool lets companies “determine where shortcomings may exist in areas such as executive support, communicating with customers and the industry, and incentives, before turning to established ISO standards.” In effect, the five-minute survey is designed to provide a rough baseline of corporate readiness to implement a bug bounty program — before companies start spending on infrastructure and integration.

As noted by Katie Moussouris of HackerOne, the complexity of software vulnerabilities in a cloud- and mobile-enabled world means that wanting a bounty program isn’t enough. “CSOs need to figure out if they’re prepared to receive vulnerability reports from the outside,” she told Threatpost. By providing determinations of basic, advanced or expert in each of the five top-level capabilities needed for an effective program, the HackerOne tool gives CSOs the concrete starting point required to effectively direct IT spend. For example, businesses can make sure they’re not overpaying for new vulnerabilities or unable to determine the root cause of specific bugs before going live.

Cost/Benefit of a Bug Bounty Program

But is the HackerOne tool — or a similar assessment — really necessary? Isn’t it possible for companies to simply task in-house IT with mimicking the structure of existing bounty programs and then handling any issues that emerge on a case-by-case basis? As noted by Data Center Journal, this isn’t a good idea for several reasons.

First is the influx of bug reports that come along with any new program. If made lucrative enough, both security pros and gifted amateurs will flood corporate gates with report after report — and not all these reports will contain useful information. Some will contain known vulnerabilities or variations on a theme, while others will mistake complex features or app functions for security holes. There’s also the problem of fishy reports or finders who claim they’ve discovered devastating bugs but want big money before they turn over the details. It never pays to wind up in this kind of standoff situation.

Enterprises also need to consider the competition. According to Engadget, security firm Zerodium is now offering a $1 million bounty for iOS 9 zero-day exploits. This isn’t a benevolent act to spare Apple and iOS 9 users the damage done by determined attackers. Instead, the firm would share exploit details with its clients to be used (and abused) as they see fit. Some experts argue that going to the affected company first is the morally upstanding choice, while others say that since Apple and other big names don’t pay out anything for bounties, it’s their own problem. For businesses new to world of bug bounties, it’s a wake-up call. This is a cutthroat, winner-take-all endeavor.

Here’s how it all shakes out: Software deployments are rapidly becoming both complex and quick to evolve, even for midsize companies and smaller enterprises. The result? It’s time to consider implementing a bug bounty program, but getting it right out of the gate is critical. Start with tools like HackerOne’s assessment offering and build from there — the bugs will come crawling.

More from

How I got started: AI security researcher

4 min read - For the enterprise, there’s no escape from deploying AI in some form. Careers focused on AI are proliferating, but one you may not be familiar with is AI security researcher. These AI specialists are cybersecurity professionals who focus on the unique vulnerabilities and threats that arise from the use of AI and machine learning (ML) systems. Their responsibilities vary, but key roles include identifying and analyzing potential security flaws in AI models and developing and testing methods malicious actors could…

State Department releases International Cyberspace and Digital Policy Strategy

3 min read - U.S. Secretary of State Antony Blinken announced the new U.S. International Cyberspace and Digital Policy Strategy during the recent RSA Conference in San Francisco. The strategy emphasizes the role of technology in diplomacy and the urgent need to build international coalitions.“Security, stability, prosperity — they are no longer solely analog matters,” Blinken said at the conference.The new strategy focuses on “digital solidarity” not “digital sovereignty,” Blinken said, emphasizing the importance of collaboration with like-minded nations. Also mentioned was the need…

DHS establishes Artificial Intelligence Safety and Security Board

3 min read - As part of its commitment to addressing the rapid growth and adoption of AI technology across all industries and sectors, the Department of Homeland Security (DHS) announced the establishment of the Artificial Intelligence Safety and Security Board in late April. The Board’s first meeting is planned for early May when they will begin the task of focusing on how to develop and deploy AI technology within the United States’ critical infrastructure safely and securely. Based on the DHS Homeland Threat…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today