Bug Bounty Programs: Are You Ready? (Part 1)

By Gunter Ollmann
Gunter Ollmann

The premise of crowdsourcing the task of uncovering new bugs and vulnerabilities in an organization's web applications or consumer products sounds compelling to many. What's not to like with the prospect of "many eyes" poking and prodding away at a corporate system for a minimal reward — and preemptively uncovering flaws that could have been exploited by hackers with nefarious intent?

Despite existing for over two decades prior to the more recent launch of commercial bug bounty platforms and services, not a lot has changed in the mechanics and benefits of crowdsourcing bug hunting. The question that many struggle to answer though, is "Are bug bounties an effective security strategy?"

Netscape was likely the first entity to publicly broadcast their bug bounty program back in October 1995 — calling for beta testers to refine Netscape Navigator 2.0 — and offering a mix of cash prizes and swag. Today's bug bounty programs offer the same rewards; while new commercial bounty platforms offer bug hunters the additional prospect of scoreboards and cross-promotion aggregation of payments or prizes.

With the rise of new commercial bug bounty platform providers (e.g. HackerOne, Bugcrowd, BugBountyHQ, Synack, Cobalt Labs, etc.) and the growth of high profile online service providers offering bug bounties (e.g. Google, Facebook, Pinterest, Yahoo, Mozilla, Wordpress, Microsoft, etc.), there is added pressure on CISO's of organizations with sizable online service or product portfolios to launch their own bug bounty programs.

For many new to the topic of bug bounties, new questions are being raised… Are bug bounties a "flash in the pan"? Should an organization launch a bug bounty? Are the newly emerged and VC-funded bug bounty platforms providing value? What will the bug bounty landscape look like in a few years?

Pre-requisites to Investing in a Bug Bounty Program

Before considering launching or offering up a bug bounty program for any organization, I strongly recommend that they master the following security prerequisites first:

Failure to have mastered these prerequisites will likely:

In Part 2 of this article, we'll discuss why an organization should invest in a bug bounty program and understand the limits of any value an organization could expect to extract from running such a program.

In Part 3 we'll look at the crystal ball. Managed vulnerability scanning and regular penetration testing form the basis of vulnerability management and certification today. Can bug bounty programs and platform providers close the gap on vulnerability management and usurp the commercial penetration testing market, or is this all just a flash in the pan?

By Gunter Ollmann, CTO, Security (Cloud and Enterprise) at Microsoft

Related topics: Cybersecurity, Web