Bug bounty numbers have never been better. In 2022, Google rewarded the efforts of over 700 researchers from 68 different countries who helped improve the security of the company’s products and services. The total amount of awards grew from $8.7 million paid in 2021 to $12 million in 2022, a nearly 38% increase.

Over the past few years, bug bounty programs have gained significant traction. Companies have been lured in by the potential to identify vulnerabilities quickly, enhance product security and outsource solutions cost-effectively. However, organizations have also encountered unforeseen vulnerabilities and threats due to these programs.

Are bug bounty programs worth it? If so, what are the risks, and how do you minimize them?

Google makes good use of bug bounties

Google reported that it resolved over 2,900 problems in its products in the previous year thanks to security researchers. The tech giant disbursed a total of $4.8 million via the Android Vulnerability Reward Program (VRP), with one reward of $605,000. Google has offered up to $1 million for detecting remote code execution vulnerabilities related to the Pixel Titan M secure chip. In 2022, the company also offered a maximum of $750,000 for data exfiltration flaws in Titan M.

Out of the total sum, $486,000 was paid out under the Android Chipset Security Reward Program (ACSRP), which is run by Google in collaboration with Android chipset manufacturers. This program generated over 700 valid security reports.

Google also compensated bug hunters through the Chrome VRP, paying out a total of $4 million, including $3.5 million for 363 vulnerabilities detected in the Chrome browser. Nearly $500,000 was awarded for 110 bugs detected in ChromeOS. In 2023, Google plans to experiment with the Chrome VRP and has notified bounty hunters of potential bonus opportunities for Chrome Browser and ChromeOS security bugs.

Even threat actors use bug bounty programs

One year after the emergence of the dangerous LockBit 2.0, the ransomware gang’s developers introduced a new and improved version, LockBit 3.0. This latest strain employs novel ransomware tactics and, notably, features a bug bounty program for the first time ever in the LockBit Ransomware-as-a-Service operation.

LockBit has become the pioneering ransomware outfit offering rewards to researchers and developers who identify security loopholes. Rewards range from $1,000 to $1 million for detecting bugs in various aspects of the website, such as cross-site scripting or XSS, encryption and vulnerabilities in Tox messenger and the Tor Network.

The bug bounty’s not-so-hidden liabilities

Despite Google’s and LockBit’s enthusiasm, some security experts like Joseph Neumann, Cyber Executive Advisor at Coalfire, warn about bug bounty program risks. Given increasingly complex validation requirements and the growing fatigue from compliance framework audits, bug bounty programs require careful and strategic thought. Organizations cannot afford to ignore the risks lurking beneath the surface.

As per Neumann, bug bounty programs do not serve as accredited third-party attestations and may not satisfy regulatory compliance requirements. Although they can identify vulnerabilities promptly, bug bounties may not offer comprehensive testing or assess the complete attack surface. And what’s the biggest potential risk? Ethical hackers can get access to source code, which might open doors for malicious actors to discover and exploit vulnerabilities.

How much do bug bounties cost?

Google praised the higher bug bounty payout from last year. But is that necessarily a good thing? Bug bounty programs can contain an often overlooked pitfall: namely, the potential for costs to spiral out of control. Neumann cites costs generated by bug bounty programs might include:

• The unlimited number of vulnerabilities that could be discovered (bounty payout)
• Vulnerabilities that malicious actors can leverage in data breaches
• Development resources wasted on fixing non-harmful vulnerabilities
• Possible legal consequences due to delays in remediating vulnerabilities.

Beware of the bugs in bug bounty

Top-level management officials often view bug bounty programs as quick and efficient solutions to reveal security weaknesses through an outsourced, on-demand payment system. Also, some programs place an exaggerated emphasis on the value of bounties within a comprehensive security approach. However, decision-makers might hastily approve such programs without careful consideration.

Bug bounty programs are fully dependent on participants’ trustworthiness and capabilities. According to Neumann, this raises a plethora of concerns. What if you hire an ethical hacker who turns out to be unethical? Or what if a careless bounty hunter overlooks a critical bug that could lead to a catastrophic breach? What happens if a company becomes too reliant on bug bounty programs for testing purposes and neglects to comply with essential regulatory frameworks like PCI or FedRAMP?

As per Neumann, a recent forensic examination brought to light a scenario where a bug hunter neglected to report a vulnerability. An attacker then exploited that vulnerability two months down the line. That oversight resulted in a massive theft of sensitive client information.

The very program that strove to prevent such a security compromise had failed. This left the company and its clients vulnerable to untold damage.

Bug bounty might attract attackers

Neumann also states that Fortune 500 companies are seeing more attacks on the applications they’ve protected with bug bounties. As the rewards for discovering vulnerabilities increase and the targets become more prominent, the attack surfaces in these high-volume environments are also growing. Unfortunately, this increase in quantity also increases the potential for “white-hat cheating”. This could lead to unauthorized access by both internal and external malicious actors lurking in the shadows.

Making bug bounty work

If you are going to use bug bounties, Neumann has some recommendations to follow:

• Include a layer of legal protection. Have your internal counsel review the program and determine if an external counsel is required so that your organization is protected with legal privilege.
• Use bug bounty programs as an augmentation to a comprehensive, dynamic and scalable security strategy. Don’t become over-reliant on your bug hunters.
• Ensure that your bug bounty program and vulnerability remediation processes work closely together.

Bug bounty programs certainly can provide value. However, you must establish a sound approach to any program’s management before going bug hunting.