May 22, 2023 By Jonathan Reed 4 min read

Bug bounty numbers have never been better. In 2022, Google rewarded the efforts of over 700 researchers from 68 different countries who helped improve the security of the company’s products and services. The total amount of awards grew from $8.7 million paid in 2021 to $12 million in 2022, a nearly 38% increase.

Over the past few years, bug bounty programs have gained significant traction. Companies have been lured in by the potential to identify vulnerabilities quickly, enhance product security and outsource solutions cost-effectively. However, organizations have also encountered unforeseen vulnerabilities and threats due to these programs.

Are bug bounty programs worth it? If so, what are the risks, and how do you minimize them?

Google makes good use of bug bounties

Google reported that it resolved over 2,900 problems in its products in the previous year thanks to security researchers. The tech giant disbursed a total of $4.8 million via the Android Vulnerability Reward Program (VRP), with one reward of $605,000. Google has offered up to $1 million for detecting remote code execution vulnerabilities related to the Pixel Titan M secure chip. In 2022, the company also offered a maximum of $750,000 for data exfiltration flaws in Titan M.

Out of the total sum, $486,000 was paid out under the Android Chipset Security Reward Program (ACSRP), which is run by Google in collaboration with Android chipset manufacturers. This program generated over 700 valid security reports.

Google also compensated bug hunters through the Chrome VRP, paying out a total of $4 million, including $3.5 million for 363 vulnerabilities detected in the Chrome browser. Nearly $500,000 was awarded for 110 bugs detected in ChromeOS. In 2023, Google plans to experiment with the Chrome VRP and has notified bounty hunters of potential bonus opportunities for Chrome Browser and ChromeOS security bugs.

Even threat actors use bug bounty programs

One year after the emergence of the dangerous LockBit 2.0, the ransomware gang’s developers introduced a new and improved version, LockBit 3.0. This latest strain employs novel ransomware tactics and, notably, features a bug bounty program for the first time ever in the LockBit Ransomware-as-a-Service operation.

LockBit has become the pioneering ransomware outfit offering rewards to researchers and developers who identify security loopholes. Rewards range from $1,000 to $1 million for detecting bugs in various aspects of the website, such as cross-site scripting or XSS, encryption and vulnerabilities in Tox messenger and the Tor Network.

The bug bounty’s not-so-hidden liabilities

Despite Google’s and LockBit’s enthusiasm, some security experts like Joseph Neumann, Cyber Executive Advisor at Coalfire, warn about bug bounty program risks. Given increasingly complex validation requirements and the growing fatigue from compliance framework audits, bug bounty programs require careful and strategic thought. Organizations cannot afford to ignore the risks lurking beneath the surface.

As per Neumann, bug bounty programs do not serve as accredited third-party attestations and may not satisfy regulatory compliance requirements. Although they can identify vulnerabilities promptly, bug bounties may not offer comprehensive testing or assess the complete attack surface. And what’s the biggest potential risk? Ethical hackers can get access to source code, which might open doors for malicious actors to discover and exploit vulnerabilities.

How much do bug bounties cost?

Google praised the higher bug bounty payout from last year. But is that necessarily a good thing? Bug bounty programs can contain an often overlooked pitfall: namely, the potential for costs to spiral out of control. Neumann cites costs generated by bug bounty programs might include:

  • The unlimited number of vulnerabilities that could be discovered (bounty payout)
  • Vulnerabilities that malicious actors can leverage in data breaches
  • Development resources wasted on fixing non-harmful vulnerabilities
  • Possible legal consequences due to delays in remediating vulnerabilities.

Beware of the bugs in bug bounty

Top-level management officials often view bug bounty programs as quick and efficient solutions to reveal security weaknesses through an outsourced, on-demand payment system. Also, some programs place an exaggerated emphasis on the value of bounties within a comprehensive security approach. However, decision-makers might hastily approve such programs without careful consideration.

Bug bounty programs are fully dependent on participants’ trustworthiness and capabilities. According to Neumann, this raises a plethora of concerns. What if you hire an ethical hacker who turns out to be unethical? Or what if a careless bounty hunter overlooks a critical bug that could lead to a catastrophic breach? What happens if a company becomes too reliant on bug bounty programs for testing purposes and neglects to comply with essential regulatory frameworks like PCI or FedRAMP?

As per Neumann, a recent forensic examination brought to light a scenario where a bug hunter neglected to report a vulnerability. An attacker then exploited that vulnerability two months down the line. That oversight resulted in a massive theft of sensitive client information.

The very program that strove to prevent such a security compromise had failed. This left the company and its clients vulnerable to untold damage.

Bug bounty might attract attackers

Neumann also states that Fortune 500 companies are seeing more attacks on the applications they’ve protected with bug bounties. As the rewards for discovering vulnerabilities increase and the targets become more prominent, the attack surfaces in these high-volume environments are also growing. Unfortunately, this increase in quantity also increases the potential for “white-hat cheating”. This could lead to unauthorized access by both internal and external malicious actors lurking in the shadows.

Making bug bounty work

If you are going to use bug bounties, Neumann has some recommendations to follow:

  • Include a layer of legal protection. Have your internal counsel review the program and determine if an external counsel is required so that your organization is protected with legal privilege.
  • Use bug bounty programs as an augmentation to a comprehensive, dynamic and scalable security strategy. Don’t become over-reliant on your bug hunters.
  • Ensure that your bug bounty program and vulnerability remediation processes work closely together.

Bug bounty programs certainly can provide value. However, you must establish a sound approach to any program’s management before going bug hunting.

More from News

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

Ransomware attack on Rhode Island health system exposes data of hundreds of thousands

3 min read - Rhode Island is grappling with the fallout of a significant ransomware attack that has compromised the personal information of hundreds of thousands of residents enrolled in the state’s health and social services programs. Officials confirmed the attack on the RIBridges system—the state’s central platform for benefits like Medicaid and SNAP—after hackers infiltrated the system on December 5, planting malicious software and threatening to release sensitive data unless a ransom is paid. Governor Dan McKee, addressing the media, called the attack…

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today