How Bug Bounty Programs Help Improve SaaS and Web Security

By Captain Jack Sparrow, CC BY-SA 3.0,

As many companies who have found themselves victims of a debilitating ransomware attack or major data breach have found out; an ounce of prevention is worth a pound of cure. The same is true for software and web based product companies in regards to exploits within their software products or web applications. Better to have it discovered by a white hacker looking to make a few bucks to support his or her skill set, than deal with the aftermath of an exploit abused by people with unscrupulous intentions. Such is the purpose of bug bounties. A security breach has many costs in the form of a damaged reputation, loss of customers, security audits, fines and possible litigation. Bug bounties in comparison are a small price to pay for the added security and assurance.

What is a Bug Bounty?

Like the original bounty hunter role that has now evolved into an accepted and regarded ocupation that serves a valuable function within the judical process, bug bounty hunters today are filling a role that has quickly become respected amongst the software and web platform communities. Bug Bounties are offered by major companies such as Microsoft, Facebook and Wal-mart to encourage ethical hackers to test and challenge their security systems. Also referred to as responsible disclosure programs, bug bounties rewards are setup in order to encourage ethical hackers to test and probe their products and infrastructures for critical flaws that could be exploited. Often times these bounties are monetary but they can also be honorary mentions or free gear and services.

A Brief History

The first publicly announced bug bounty program was initiated by Netscape on October 10, 1995. The company offered cash rewards to anyone who could find security bugs in the coming Netscape Navigator 2.0 Beta release. Like the crowd sourced security programs of today, the bounty was designed to encourage an extensive, open review of the upcoming product in order to improve upon it. Nine years later, Mozilla offered their own program in which $500 rewards were offered to those who could identify critical vulnerabilities in Firefox. It wasn’t until 2010 that the practice was kickstarted by Google who launched similar initiatives for their own browser. Since then, many of the most recognized companies throughout the world have begun using this practice.

Big Payouts for Finding Bugs

While most bug bounties normally range between $200 and $5,000, the payouts can reach substantial sums. In 2012, Microsoft initiated a security contest in which a Columbia University PhD student was awarded $200K. In 2015, United Airlines awarded two researchers for their significant findings by compensating them one million miles of flight credits. Though individual disbursements may not reach those sizable amounts on a regular basis, the cumulative compensations awarded are indeed impressive. Notable examples include the Department of Defense that paid out $150K over a thirty day period for the discovery of 138 vulnerabilities that were discovered by external hackers in a “Hack the Army” program in 2015.

Google and Mozilla have paid out $9 million and $1.6 million respectively during the course of their initiatives and other big names such as Apple, Yahoo and Twitter have large budgets apportioned for their bug bounty programs.

Why Not Internal QA or Formal Penetration Testing

So why don’t companies simply utilize their own internal quality assurance personnel to find software vulnerability flaws? In the same way that open source platforms boast a higher degree of stability due to having unlimited eyes analyzing and contributing code, coordinated bug bounty program can provide companies with far more experienced cyber security researchers than they could ever have on staff. What’s more, bug bounty hunters bring alternative skillsets and knowhow and are usually more aware of new innovations and hacking implementations.

Professional penetration testing services are a viable route that some companies choose to test their systems from the outside. This is a highly structured approach with a formal contract specifying the services to be rendered and defined objectives. In these audits, the client will normally deal with a single point of contact for the duration of the project. The main downside of this approach is that the services are paid for whether they discover vulnerabilities or not. The cost of discovering a single flaw is the same as the discovery of a hundred. A formal penetration test also has a defined window for which the audit will take place. The beauty of a bug bounty program is that the client only pays for the discovery of critical vulnerabilities. What’s more, as long as a company can draw the interest of bug bounty hunters, bug bounties provide continuous security testing by a multitude of specialists.

How similar are White-hat Professionals and Internal Red Teams

The ability to host designated security teams is a privilege that only large enterprise organizations can enjoy due to the cost of maintaining them. A red team is assigned the task of challenging the security measures of the organization in order to emulate the techniques utilized by actual attackers. Although they are permanent members of the enterprise security staff, they do work independently. They are required to be kept up to date with present day attack methods. Where red team tactics primarily differ from bug bounty hunters is the mission of each group. The primary goal of the red team is to improve the effectiveness of the blue team, which is the primary security team assigned to protect the enterprise. This is a different objective than bounty hunters whose sole objective is to find flaws and vulnerabilities and report them

Managing Bounty Hunters

There are many benefits for a bug bounty program, but implementing one internally can be challenging due to the time and resources that are required to implement and manage such an endeavor. There is also an air of uncertainty and risk not knowing who you are truly dealing with in a “cattle call” like operation. In some cases, strict rules must be created and enforced due to data confidentiality and industry compliance issues. You can’t always hire a Russian teenager no matter how good he or she may be. Bug bounties can also create a lot of noise, creating an endless supply of submissions that in the end are of little value. For these reasons, many companies prefer to turn to a companies that specialize in managing bug bounty programs. These companies have the expertise and experience to improve the credibility and proficiency of participents as well as the signal-to-noise-ratio in order to better streamline the operation.

The Benefits of Bug Bounties

The practice of inviting bug bounty hunters to “break things” has not been widely accepted until recently, yet this seemingly unorthodox approach can garner major results and benefits. Because of the high dollars being generated by black hat organizations today, enterprises of all sizes are under constant threats from malicious attackers. Bug bounties are a great way to tap into the global hacking community and shore up your security in order to prevent the inevitability of an attack disruption. Paying hackers now, is a lot less costly than paying later.