Bug bounty programs have come a long way since the idea was first coined by Jarrett Ridlinghafer back in 1996, with some of the biggest companies in the world now adopting them and offering up huge sums of money for the ethical discovery and notification of vulnerabilities in their services and products.
In fact, they have become such big business that they have led to the birth of dedicated vulnerability coordination and bug bounty platforms, designed to help deploy these programs and connect businesses with security researchers. Of these, San Francisco-based firm HackerOne was the first. Their co-founder and CTO Alex Rice was a speaker at the inaugural Wired Security Conference in London this week where he presented his thoughts on ‘What Can We Learn from Hackers’, and I was lucky enough to speak with him at the event to find out a little more on the fascinating concept of the bug bounty program.
What do you see as the main benefits of bug bounty programs?
The value of the bug bounty program is the diversity of thought that it brings to a particular problem. It brings dozens or hundreds of curious minds to say ‘What can go wrong here? What if the technology fails? What are we missing?’ There’s nothing else like that in the security industry, you can’t get that with checklists, security compliance, existing automated tools, and you don’t even get that with a few brilliant security individuals. You could have a well-funded team with some of the greatest engineers on the planet, but if they think the same and act the same and come from the same backgrounds, they’re not going to have the same results that a community-based approach can have.
What have you seen in terms of bug bounty programs changing in recent years?
They have evolved quite a bit organically in the time they’ve been around. The first organizations to really popularize them were the web browser vendors, then Google and Facebook launched theirs for all of their structure. They really started out as open invitations to the entire hacker community to come and report vulnerabilities, and you really had to have your security at a pretty respectable level before you could put out a statement like that.
One of the main ways they have evolved with the use of bug bounty platforms is the introduction of private, invitation-only programs. As many as 80% of our customers are now running private programs rather than public programs, and that gives organizations a lightweight, organic way to start working with hackers in a tightly-controlled environment that they grow over time, as they gain more confidence in their overall security maturity. That’s probably the biggest shift that has made them accessible to everyone.
So do you think all companies should be considering investing in a bug bounty program?
I think as a minimum all companies must consider responsible disclosure programs, just a simple process for someone to tell you about a vulnerability if they find one. I do think that is something everybody should have because just that simple act will encourage people to start exercising their curiosity and in most companies people will come forward with vulnerabilities even before bounties have been offered.
In an ideal world, bug bounty programs would be something that is part of every modern software development cycle. The sad reality today though is that most teams aren’t ready for it yet. To really get the full value of bug bounty programs you have to be ready to learn about vulnerabilities and have a team that is excited about that, that’s not normal today.
Lastly, you mention that most companies aren’t ready to adopt bug bounty programs yet, what advice would you give organizations to get them in a better position to do so?
There’s two pieces of advice I would give here. The first is, if you don’t have an existing security roadmap and don’t know the problems you need to fix, then you should invest in a private program which can leverage a small group of invited hackers to help guide where you should be investing in your security. That’s an incredibly easy step that anyone can get started with; every program that we’ve seen launch has found something.
The second is, if you do know what you need to fix and you know what you need to improve, do you actually have the resources to be able to do that?
The fact is, you don’t really know which bucket your organization falls into until either criminals come along and test your defenses for you, or you start actively probing them yourself.