Bug bounty numbers have never been better. In 2022, Google rewarded the efforts of over 700 researchers from 68 different countries who helped improve the security of the company’s products and services. The total amount of awards grew from $8.7 million paid in 2021 to $12 million in 2022, a nearly 38% increase.

Over the past few years, bug bounty programs have gained significant traction. Companies have been lured in by the potential to identify vulnerabilities quickly, enhance product security and outsource solutions cost-effectively. However, organizations have also encountered unforeseen vulnerabilities and threats due to these programs.

Are bug bounty programs worth it? If so, what are the risks, and how do you minimize them?

Google Makes Good Use of Bug Bounties

Google reported that it resolved over 2,900 problems in its products in the previous year thanks to security researchers. The tech giant disbursed a total of $4.8 million via the Android Vulnerability Reward Program (VRP), with one reward of $605,000. Google has offered up to $1 million for detecting remote code execution vulnerabilities related to the Pixel Titan M secure chip. In 2022, the company also offered a maximum of $750,000 for data exfiltration flaws in Titan M.

Out of the total sum, $486,000 was paid out under the Android Chipset Security Reward Program (ACSRP), which is run by Google in collaboration with Android chipset manufacturers. This program generated over 700 valid security reports.

Google also compensated bug hunters through the Chrome VRP, paying out a total of $4 million, including $3.5 million for 363 vulnerabilities detected in the Chrome browser. Nearly $500,000 was awarded for 110 bugs detected in ChromeOS. In 2023, Google plans to experiment with the Chrome VRP and has notified bounty hunters of potential bonus opportunities for Chrome Browser and ChromeOS security bugs.

Even Threat Actors Use Bug Bounty Programs

One year after the emergence of the dangerous LockBit 2.0, the ransomware gang’s developers introduced a new and improved version, LockBit 3.0. This latest strain employs novel ransomware tactics and, notably, features a bug bounty program for the first time ever in the LockBit Ransomware-as-a-Service operation.

LockBit has become the pioneering ransomware outfit offering rewards to researchers and developers who identify security loopholes. Rewards range from $1,000 to $1 million for detecting bugs in various aspects of the website, such as cross-site scripting or XSS, encryption and vulnerabilities in Tox messenger and the Tor Network.

The Bug Bounty’s Not-So-Hidden Liabilities

Despite Google’s and LockBit’s enthusiasm, some security experts like Joseph Neumann, Cyber Executive Advisor at Coalfire, warn about bug bounty program risks. Given increasingly complex validation requirements and the growing fatigue from compliance framework audits, bug bounty programs require careful and strategic thought. Organizations cannot afford to ignore the risks lurking beneath the surface.

As per Neumann, bug bounty programs do not serve as accredited third-party attestations and may not satisfy regulatory compliance requirements. Although they can identify vulnerabilities promptly, bug bounties may not offer comprehensive testing or assess the complete attack surface. And what’s the biggest potential risk? Ethical hackers can get access to source code, which might open doors for malicious actors to discover and exploit vulnerabilities.

How Much Do Bug Bounties Cost?

Google praised the higher bug bounty payout from last year. But is that necessarily a good thing? Bug bounty programs can contain an often overlooked pitfall: namely, the potential for costs to spiral out of control. Neumann cites costs generated by bug bounty programs might include:

  • The unlimited number of vulnerabilities that could be discovered (bounty payout)
  • Vulnerabilities that malicious actors can leverage in data breaches
  • Development resources wasted on fixing non-harmful vulnerabilities
  • Possible legal consequences due to delays in remediating vulnerabilities.

Beware of the Bugs in Bug Bounty

Top-level management officials often view bug bounty programs as quick and efficient solutions to reveal security weaknesses through an outsourced, on-demand payment system. Also, some programs place an exaggerated emphasis on the value of bounties within a comprehensive security approach. However, decision-makers might hastily approve such programs without careful consideration.

Bug bounty programs are fully dependent on participants’ trustworthiness and capabilities. According to Neumann, this raises a plethora of concerns. What if you hire an ethical hacker who turns out to be unethical? Or what if a careless bounty hunter overlooks a critical bug that could lead to a catastrophic breach? What happens if a company becomes too reliant on bug bounty programs for testing purposes and neglects to comply with essential regulatory frameworks like PCI or FedRAMP?

As per Neumann, a recent forensic examination brought to light a scenario where a bug hunter neglected to report a vulnerability. An attacker then exploited that vulnerability two months down the line. That oversight resulted in a massive theft of sensitive client information.

The very program that strove to prevent such a security compromise had failed. This left the company and its clients vulnerable to untold damage.

Bug Bounty Might Attract Attackers

Neumann also states that Fortune 500 companies are seeing more attacks on the applications they’ve protected with bug bounties. As the rewards for discovering vulnerabilities increase and the targets become more prominent, the attack surfaces in these high-volume environments are also growing. Unfortunately, this increase in quantity also increases the potential for “white-hat cheating”. This could lead to unauthorized access by both internal and external malicious actors lurking in the shadows.

Making Bug Bounty Work

If you are going to use bug bounties, Neumann has some recommendations to follow:

  • Include a layer of legal protection. Have your internal counsel review the program and determine if an external counsel is required so that your organization is protected with legal privilege.
  • Use bug bounty programs as an augmentation to a comprehensive, dynamic and scalable security strategy. Don’t become over-reliant on your bug hunters.
  • Ensure that your bug bounty program and vulnerability remediation processes work closely together.

Bug bounty programs certainly can provide value. However, you must establish a sound approach to any program’s management before going bug hunting.

More from News

Protecting Against Remote Monitoring and Management Phishing

3 min read - You use remote monitoring and management (RMM) software to closely monitor your cyber environment and keep your organization safe. But now cyber criminals are specifically targeting these tools, causing legitimate software to become a vulnerability. This is the latest type of attack in an increase in a recent trend of disruptive software supply chain attacks. The Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert about the malicious use of legitimate remote monitoring and management (RMM) software. Last fall,…

3 min read

$10.3 Billion in Cyber Crime Losses Shatters Previous Totals

4 min read - The introduction of the most recent FBI Internet Crime Report says, “At the FBI, we know ‘cyber risk is business risk’ and ‘cybersecurity is national security.’” And the numbers in the report back up this statement. The FBI report details more than 800,000 cyber crime-related complaints filed in 2022. Meanwhile, total losses were over $10 billion, shattering 2021's total of $6.9 billion, according to the bureau’s Internet Crime Complaint Center (IC3). Top Five Cyber Crime Types In the past five…

4 min read

HHS Releases Hospital Cyber Resiliency Landscape Analysis

4 min read - On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of its Hospital Cyber Resiliency Initiative Landscape Analysis. This landmark analysis reports on domestic hospitals’ current state of cybersecurity preparedness. The scope of the HHS study was limited to activities that protect access to patient care and safety and reduce the negative impact of cyber threats on clinical operations. Breaches of sensitive data were considered only if the breach had a direct…

4 min read

Zombie APIs are a Top Security Concern as API Attacks Surge 400%

4 min read - Organizations of all sizes rely on application programming interfaces (APIs). The API explosion has been driven by several factors, including cloud computing, demand for mobile/web applications, microservices architecture and the API economy as a business model. APIs enable developers to access data remotely, integrate with other services, build modular applications and monetize their data/services. For enterprises that participated in a recent research study, the average number of APIs per organization was 15,564. Large enterprises (over 10,000 employees) had an average…

4 min read