Busting myths around bug bounty platforms

Cybersecurity attacks continue to rise not only in numbers but in sophistication and complexity. A data breach that violates GDPR could involve a fine of up to €20 million, or up to 4% of the annual worldwide turnover. Understandably, 40% of CEOs are very nervous about being the next victim of a hacker attack according to a PWC CEO Survey Report

The odds are in favour of the attackers who only need to exploit a single security flaw to compromise an entire organization. By contrast, security teams are tasked with defending against all potential vulnerabilities with heavily constrained resources, unlike hackers.

A quick look at any news story will feature a stereotypical image of a hacker in a hoodie hunched over a keyboard with a binary code background. This outdated image is just one of many dangerous myths that are not helpful to businesses attempting to remove critical security vulnerabilities.

Ethical hacking paved the way for so-called bug bounties as companies of all sizes turned to crowdsourcing in a bid to combat hackers. Public bug bounty programs are widely used to enhance security defences and mitigate vulnerabilities. Some businesses go as far as challenging hackers to find a bug on a site.

The only certainty is that security teams are resource-constrained, and hackers aren't. As for bug platforms, there are many myths and misconceptions that need to be retired.

1. Bug bounty programs must be public

Tech giants such as Google, Facebook, and Microsoft are often credited with revolutionizing application security with public bug bounty programs. But attitudes and approaches have evolved over the years. Contrary to popular opinion, the majority of bug bounty programs are actually private. For example, 80% of HackerOne programs consist of invitation-only bug bounty initiatives.

Most organizations now prefer the safety and anonymity of a private program where they can master the vulnerability handling process. Rather than the loud and brash approach of inviting the world to hack their business, private models offer a more sensible entry point to try out a bug bounty program for the first time.

A smaller group of skilled individuals can be invited based on their experience, specialist skills, and location. The much more discreet option is often completed without any fanfare or external recognition. For many businesses, ethical hacking is a journey, not a destination. Public bug bounties have huge additional benefits too, but it's seldom the first step for an organization.

2. Bug bounties are only for tech companies

Sure, it was the world's biggest tech companies that helped popularize the bug bounty model. But there is an argument that every business is a tech company in this increasingly digital world where remote working has become the new normal. As a result of these changes, the model has evolved to fit traditional organizations and industries too.

According to BugCrowd, everyone from financial services companies to government entities has taken part in private bug bounty programs. Traditional organizations, from financial services companies to government entities have engaged in private programs in recent years. Even the EU announced that it would be funding bug bounty programs for 14 open source projects last year.

It would be foolhardy at best for traditional industries to immediately showcase its vulnerabilities in a virtual public arena. Once again, private bug bounty programs offer a halfway house that is competitive but in a much more controlled environment.

3. Trusting hackers is a risky business

The prospect of inviting hackers to exploit vulnerabilities to your business can feel incredibly daunting. Why would you risk inviting trouble to your company? But there is a counter argument that burying your head in the sand is possibly the worst thing that you can do. Security is a journey, not a destination, and accountability is possibly one of your biggest weapons against the bad guys.

We know with certainty that vulnerabilities, risks, and hacks are continuing to rise. The continuous updating of security policies, procedures, and awareness programs are critical. When tasked with lowering risk in an organization, being vulnerable online far outweighs the dangers of being associated with running a bug bounty program.

Security research should be seen as an opportunity to unlock valuable insights by daring to explore unknown vulnerabilities. It's time to retire the outdated concept of hoodie-wearing hackers and baseless paranoia. In a controlled environment, these modern security researchers can help your organization by fixing flaws and reducing risk than hurting it. 

4. Bug bounties are a replacement for penetration testing

It's true that internal testing alone is not the answer. Unfortunately, there isn't a silver bullet or off the shelf solution. But every business will require a wide range of tools at their disposal. Traditionally, a company will turn to penetration testing and automated vulnerability scans for a set fee, which will need to be paid even if they don't detect any vulnerabilities.

By contrast, bug bounty programs often only reward ethical hackers if they find relevant vulnerabilities. Businesses will determine precisely what white hat hackers will test and how much money they will pay for uncovering security flaws. Many will see this as a much more cost-effective solution.

The reality is that neither penetration testing or bug bounty programs have the power to uncover every potential risk and vulnerability. Together, they can complement each other as part of a unified approach to cybersecurity focused on lowering risk and removing security flaws.

Rewarding a crowdsourced team for finding security flaws will probably need you to upgrade your corporate thinking. But having a group of hackers working on your behalf, rather than against you, can create more opportunities to boost your security and reduce risk in a more proactive approach against the real bad guys.

Leave a Reply

Your email address will not be published. Required fields are markedmarked