The decision to pay someone to deliberately hack into your system to find vulnerabilities might seem counterintuitive to infosec professionals, but bug bounty programs are gaining a lot of popularity with big-name companies.
Take Facebook. Khalil Shreateh went to incredible lengths to flag a critical bug in Facebook’s software that allowed anyone to post directly on to any user’s wall. After repeatedly being ignored by their security team, he went for a bolder route of posting on Mark Zuckerberg’s wall to flag the bug. This incident jump-started Facebook’s attention in their reporting issues and they have since invested in a bug bounty program.
Of course, the decision to implement a bug bounty program or not should be one that is well thought out. For instance, for us at Malwarebytes, we rolled out a bug bounty program after a well-known security researcher alerted us to vulnerabilities in our consumer software. We were hugely grateful for this and wanted to incentivise other researchers to follow suit.
Of course, we have a dedicated security team working tirelessly to ensure our product is bug-free and secure, but vulnerabilities are the harsh reality of software development, and sometimes a fresh set of eyes can reveal flaws that might otherwise have been overlooked.
For instance, the methods employed will sometimes reveal subtle flaws and novel attack vectors. All of this can help shape future product improvements, but it is also a necessary investment that can help thwart costly breaches and other hacks that might put a business in jeopardy.
Since its launch in 2016, our program rewards researchers and credits them according to their efforts in our Hall of Fame. The amount awarded for bugs is up to $1,000, but depends on a case by case basis.
Bug bounty programs also have broader benefits: when the NCA says that young people are getting into cybercrime thinking it is ‘cool’, the industry must do much more to turn these skilled young people on the white hat hacker path. They need to be fighting crime, not contributing to it and bug bounty programs are an exciting prospect for people – that also pays well.
In fact, it was revealed that Facebook has now paid out $6.3 million to bug bounty hackers since it began its program in 2011. Google has also invested in its program and its biggest reward was $112,500, paid to someone who found vulnerabilities in its Pixel smartphone. Not a bad earner.
Are bug bounty programs for everyone?
Like anything in life, there are some potential drawbacks to bug bounty programs, which CISOs should be mindful of, and it might not be best suited for every company.
For instance, critics say programs could lead to researchers selling bug information to cyber-criminals instead of reporting it to the company. Also if you’re considering rolling out a bug bounty program, be specific on your bounties so you don’t end up paying for bugs which might already be on your radar.
Or if you’re a security researcher considering a side project, be aware that regardless of your time spent probing software, you might not get anything in return if you can’t find any bugs.
Like with any security protection, don’t just rely on one form – bug bounties aren’t a silver bullet. Alongside having endpoint protection and remediation software installed, staying informed and educated about potential threats is the best course of action against potential threats. Bug bounties will then add and an extra layer to this, seeking out subtle flaws that may not have been noticed.
The need to invest in new security methods to mitigate against ransomware and malware has never been more important than now.
To my mind, the more cybersecurity brains you can bring together the better. We must stop shaming and blaming one another and instead come together to fight cybercrime – and bug bounties are a great first step in this.
Rather than cowering we must change the narrative around cybercrime – engendering a culture of 'no fear' to avoid businesses like Uber and Yahoo trying to cover their tracks. If we do this, we will shine light into the darkest corners of the web where these criminals hide, remove their aura of invincibility and show them for what they really are – miscreants.