Should a company have a bug bounty program?

All companies (and other organizations) that develop and deploy software can benefit from a bug bounty program (or more generally, from a vulnerability disclosure program).
A bug bounty program is the “catch-all” of system vulnerabilities when the software goes live. It is an essential part of the software development lifecycle (SDLC). When you find a vulnerability in live software, you don’t only fix the bug that caused it, you also go back to earlier stages in the SDLC to improve your processes and practices in order to avoid that type of vulnerabilities in the future. The software is becoming more secure as the SDLC is incrementally perfected.
A bug bounty program can cover all types of system vulnerabilities (i.e. it has broad coverage), it produces results very quickly (within 24 hours of starting a program), and it is an order of magnitude more cost-effective than other methods. The average bounty is about $500. The average cost per bug or vulnerability found when using scanners or pentesting is easily 10–20 times higher. (And the cost of NOT finding and fixing a vulnerability runs in the millions of dollars or euros.)
The leading digital companies run large bug bounty programs and are very happy with them: Google, Microsoft, Facebook, Uber, Twitter, Snapchat, Riot Games, Slack, Quora, Github, Salesforce, etc.
If the value proposition of bug bounty programs is so compelling, why isn’t everyone then running one? Here are some reasons that we have observed:
  • Bug bounty programs represent a new way to look at software security, and it takes time for some organizations to learn about them and see the benefits
  • Like some humans, some companies just don’t want to know what’s wrong with them
  • Some companies have software deployments with so many known flaws which the company is currently working on that it does not make sense for them to start a bug bounty program at that time. They have so much piled up fixing to do anyhow. Once they have fixed the majority of their known issues, it will be time for a bug bounty program.
  • Some companies are so small or understaffed that they are unable to operate a bug bounty program successfully. The programs become unresponsive, and this irritates and drives away the ethical hackers who are trying to help them.
  • Some companies operate under strict regulation or compliance rules, and they are unsure whether a bug bounty program fits into their set of rules, or whether the regulation must first be changed.
  • The software of some companies are used in life-critical situations (e.g. aircraft, vehicles, hospital systems). In order to run a bug bounty program, they need to set up a separate testing environment. This is absolutely doable (and often done), but it inevitably adds a layer of complexity.
  • Some companies don’t deploy software themselves (a small law or medical practice would be a typical example). They use software as a service from vendors. It’s those vendors who should run bug bounty programs, but not their customers.
  • Some companies believe that their systems do not have serious vulnerabilities. Every single time, this belief is incorrect.
All of the above objections can be dealt with and are being dealt with. Once we get all organizations who develop and deploy software to run bug bounty programs, the internet and the entire connected society we live in will be more secure.

Popular Posts