Cash for Bugs: should you crowdsource your application security?

A bug bounty programme can be quite effective if managed properly.

Ryan O’Leary, VP Threat Research Centre at WhiteHat Security discusses why bug bounty programmes are becoming increasingly popular and whether or not they can be used by businesses to improve security posture.

Already an attractive option for a variety of consumer applications, crowd sourcing is now catching on in the corporate world. One emerging area of crowd sourcing is bug bounty programmes. These are rewards offered by organisations to security researchers or whitehat hackers, who receive recognition and financial compensation for finding and reporting bugs, exploits and vulnerabilities in the organisations’ websites and applications.

As a technology company or security professional, it’s easy to see the attraction of running bug bounty programmes. But these programmes are not without risk, and timing can be a critical factor. Unless they are managed carefully, bug bounty programmes can come with serious consequences for your overall security posture.   

Back to basics: what is a bug bounty?

Bug bounty programmes have been around since the mid-to-late 1990s, but for many years the number of organisations offering them were fewer than a couple of dozen. That was until just a few years ago, when some large companies like Facebook, Google, Microsoft, and Yahoo launched very high profile and well publicised programmes.   

They now come in all shapes and sizes, with some applying to back-end software, some to customer-facing websites and applications, and some to hardware. They are most predominantly found in the high-tech industry, but more recently they’ve been appearing in sectors such as retail, social media, gaming, finance and travel.

Programmes can be managed in one of two ways: Organisations can take a “do-it-yourself” approach, or they get help to front-end the programme with a bug bounty broker. Brokers step in to create and manage bug bounty programmes on behalf of their customers.   

Do-it-yourself bug bounty programmes are obviously more resource-intensive to run, and they involve a process that is very hard to automate. All bug bounty programmes take a lot of time and money to do well, which is why only the largest social networking, e-commerce, and software companies are running their own programmes. 

When and where?

A bug bounty programme can be a great complement to your existing application security initiatives to add extra expertise and a new set of eyes on perhaps your one or two most business-critical applications. Running a bounty programme can also help to encourage goodwill in the hacker community, turning that community into a sort of “neighbourhood watch” for the company and its products.   

For the majority of organisations, adding a bug bounty programme to the mix makes the most sense at a stage when the company’s existing app security programme is already quite mature. This means very few new vulnerabilities are being introduced by the developers and any that are, are being fixed as quickly as they are reported. If this is not yet the case, the company would be better off spending the time and resource getting its continuous app security practice up to scratch, before rolling out the bug bounty red carpet.   

Safety considerations

Today, as organisations consider their overall security posture, one of the biggest concerns is over who has access to what, when it comes to vulnerability testing. With much of the testing taking place on source code and behind firewalls, understanding who has access, where the testing will take place, and where the vulnerability data will be stored are all critical considerations.   

In a bug bounty model, organisations have very little visibility or control over these considerations. Most security researchers are working privately and there is certainly no way to keep tabs on them. There have been cases in the news recently, in which bug bounty hunters have gone far beyond what the organisations expect of them and have accessed sensitive data that the organisations didn’t want to share publicly.   

Bug bounty hunters may also try out unexpected testing methodologies and techniques to probe your websites and may end up compromising the security of your secondary systems or inadvertently accessing the source code of your web applications stored on SVN servers.

Furthermore, there is no way of ensuring that your entire application has been combed through diligently to find all the vulnerabilities. Since most of the bug bounty hunters work independently, you have no idea what areas of the websites have been assessed and what haven’t, so you can never truly know what your security posture is.   

Start small, then scale it up

Many large and small organisations realise the value of bounty programmes vis-à-vis access to skill sets and scalability, but they have also recognised that they can be difficult to control from a budget perspective. If you’re considering a bug bounty programme, there are a few important steps that need to be taken. The first step involves running a time-bound, closed, and confidential bounty programme before opening things up to a larger crowd of participating bug hunters.   

Apple recently announced that it was holding an invitation-only bounty programme. The invitation-only approach enables Apple to ensure it engages with vetted researchers who are interested in working with them to find and disclose security problems within what are most likely as-yet unreleased software builds.   

In a scaled-down programme, a small and elite team from a bounty hunter pool should be allowed to test a select number of applications and websites over a short period of time – usually two to four weeks. Following this test, which establishes trust in the process, the bug bounty programme can then be opened up to the world at large.   

A dual-pronged approach is key to success

Security-conscious organisations have been interested in bug bounty programmes for years, and many have been keeping a close eye on how these programmes are evolving – specifically, where they can and should fit in their security mix, and the economics associated with this. Using a dual-pronged approach of a comprehensive security programme plus a bug bounty programme, you should be able to have the most effective security strategy at the right times. This will safeguard your digital assets and help you beat hackers at their own game.

Ryan O’Leary, VP Threat Research Centre at WhiteHat Security 

Image Credit: Andriano.cz / Shutterstock

ABOUT THE AUTHOR

Ryan O’Leary is Vice President of the Threat Research Center at WhiteHat Security, the web application security specialist. Ryan has extensive experience in finding and exploiting application vulnerabilities and configuring automated testing tools.