Card image cap
How Effective Are Bug Bounty Programs As Security & Compliance Strategies?

New data-driven businesses are mushrooming, organizations across industries are embracing technological advancements, and cybercriminals are getting more sophisticated. Cybercrime rates are growing, and with further growth of such crimes expected.

Despite the astonishing number of cybercrime categories, however, the perception of risk per se seems to be the heart of the problem. Being entranced by digital tech, too many companies estimate the cost of being a victim to be low, and readily accept the risk. Many people see data breaches as a cost of doing business.

In October 2018, HackenProof held an onsite bug bounty marathon called HackenCup. The event gathered 25 talented hackers from around the world to search for vulnerabilities in three products. The ride-sharing service Uklon was one of them.

The team of ethical hackers found four major vulnerabilities that could lead to a vast array of serious issues. By the end of the day, the hackers submitted 74 reports, which both shocked and excited Uklon’s founder.

Uklon is not alone in discovering the benefits of bug bounty programs. After the Marriot Hack, Hyatt Hotels launched its bug bounty program. Here’s why your organization should get proactive with bug bounties.

Bug bounty: Advantages and challenges

You might remember the story of Frank Abagnale, probably the most talented fraudster in history, who ended up helping the FBI and other law enforcement agencies uncover fraudulent schemes. The idea is to fight fire with fire: Abagnale knows the psychology of criminals and their “craft” better than anyone.

This is what a bug bounty program is about: Ethical hackers help businesses detect vulnerabilities before the bad guys beat them to it. In other words, running a bug bounty program is getting ahead of the game by being proactive and predictive. A bug bounty is an alternative way to detect software and configuration errors that can slip past developers and security teams, and later lead to big problems.

But it’s important not to over rely on bug bounty programs. Since these programs are incremental, they don’t eliminate the necessity of securing software development system scans or testing.

Unlike traditional penetration testing services that generate a culture of fear and meeting compliance requirements, bug bounties are about creating a culture of openness, transparency, and responsibility. Even if your company doesn’t offer bug bounties, you need to establish a vulnerability disclosure policy as soon as possible.

Another term for this is responsible disclosure policy: A legal statement stating that your company won’t prosecute ethical hackers who detect vulnerabilities in your products. Startups and young organizations that haven’t adopted such policies are missing out.

Consider bug bounties carefully

A bug bounty program is a valuable tool if you use it carefully. To avoid legal problems and risk to your company’s reputation, you must be thoughtful about how you design and implement these programs.

Before diving into the program, consider what network components and data you should include—in other words, define the scope of the bounty program. You must have unquestionable clarity about the authorized conduct framework, and you must decide what proof you’ll require to confirm a hack and how people should share that information.

Since a bounty program is about trust and transparency, your organization must be open about how it will pay for vulnerability detection.

Obviously, companies differ in information types, contractual or other obligations, and legal requirements, so it’s important to create rules and comply with them. Don’t compromise on that. Otherwise, you’ll have a high chance of ending up in an unfavorable negotiating position or becoming susceptible to legal or other risks.

A walk through the process

Bug bounty brief

Once a company has chosen a bounty program and platform, it creates a brief that describes the rules of researcher engagement. It provides detailed information about the company, what to look for and what not to look for, pricing level, and specific rules for hackers.

Program launch

Publish the brief on a bounty page. Then conduct marketing activities to attract ethical hackers to your program.

Start of the program

Next security testing begins as hackers work on your software, detect the bugs, and report them. Their reports should reveal how to exploit the detected vulnerabilities, and be submitted through your site.

Triage team stage

Your bug bounty platform must include an in-house cybersecurity triage team. These high-profile specialists can verify reported bugs and define what level of security the organization needs.

Fixing the bugs

After your company receives a report detailing a bug and how to fix it, the researcher who found it should receive a payment, along with reputation points on the platform.

Category Cloud

Follow us on Facebook

Follow us on Twitter