When it comes to bug bounty platforms people don’t always know fact from fiction. As quickly as these platforms have risen so too have the misconceptions. Ethical hacking provides businesses with an opportunity to enhance security defences and mitigate vulnerabilities but, for some, ethical hacking is an unknown, which has led to several myths.
So, what are bug bounty platforms and how can businesses take advantage of this to improve overall cyber-defence? To help the understanding around ethical hacking and bug bounty platforms, we’ve tackled four key myths to separate fact from fiction and to inform and guide on the best practices.
Myth #1: Bug bounty programs have to be public
Bug bounty platforms allow organisations to show just how secure their products are. Hacker-powered security puts a global ethical hacker community on watch, 24/7, for any vulnerabilities which might have been missed. Hackers are smart, driven and creative people who often think outside the box and can help elevate any cybersecurity strategy which is already in place.
Public bug bounty programs are a way to publicly demonstrate how secure your products are. “If you don't think our service is secure, we invite you to find a bug!”. However not every program needs to be public. In fact, most bug bounty programmes are private.
In a private program, a smaller group of people are chosen and invited to find bugs. The selection criteria is usually based on experience, specialist skills, location and availability. Every report, every participant, every bounty reward, every aspect of the program is totally private. Most organisations begin with a private program and then ‘go public’ only after the vulnerability handling process is well-rehearsed, the bounty budget forecasted, the legal and marketing teams briefed, and the DevSecOps communications streamlined.
So, businesses shouldn’t be held back by the idea of going public. Ethical hacking is about going on a journey and only when the organisation is ready will that step be made. Public disclosure however also brings a range of benefits. By publicly embracing security, businesses are seen as open and honest, showing they care and value customer data and will do everything in their power to fix vulnerabilities. In addition, arguably one of the main benefits about public disclosure is that organisations can attract the best pool of talent – increasing the number of hackers who are testing the system. Fundamentally, public bug bounties show that security is being taken seriously and this is something to be embraced.
Myth #2: Bug bounties have to be continuous throughout the year
While some organisations do choose to run continuous bug bounty programs, many also opt for time bound challenges. These types of programs involve testing against a defined scope, often using a fixed number of hackers in a short-term engagement.
Bug bounty programs are definitely customisable. It’s easy to calibrate a private bounty program to make sure the number of reports you receive is manageable, both in terms of your team’s time and your budget. This gives businesses the opportunity to know when tests are being run and they can prepare IT teams. It’s also a great way to start the ethical hacking journey, as once security teams are engaged the business can move towards a more continuous engagement plan. This type of strategy also allows smaller organisations or businesses with limited IT teams to take advantage of ethical hacking as they will know when to expect vulnerability reports. Everyone from enterprise businesses to start-ups can benefit from hacker-powered security and this flexibility and variety enables that.
Myth #3: You have to award bounties to work with hackers
This very much depends on the programme you want to run. A Vulnerability Disclosure Program (VDP) is a way to receive vulnerabilities from outside with no financial incentive. Like the 911 of the internet, it provides a channel for reporting and receiving digital emergencies.
The primary purpose of a VDP is to have a public way of receiving vulnerabilities from external security researchers. In doing so, businesses can avoid surprises like a vulnerability disclosure on Twitter or through the customer service channels. Several governments and companies often host a VDPs platform as it allows them to engage with the public, but also to improve security. After all no citizen wants to see their data exposed and ethical hackers will often want to nature their skills set and help public organisations in the process.
On the other hand, there is a competitive bounty market for bugs and this does mean a financial incentive. The average bounty paid out is $800, but some are lower than that, and some are much higher, up to $1,000,000. The amount often depends on the skill and effort required to find the bug.
Myth #4: Bug bounties don’t encourage developers to communicate with hackers
Every bug that is fixed makes our digital lives safer, and it is developers that do this heroic work. Developers don’t want to navigate through a 100-page PDF report. Developers don't want to read irrelevant tool output. Developers are unlikely to attend your 90-minute online seminar reviewing pertest results at 9am.
For this reason, there are platforms that allow developers to communicate directly with hackers in their time, in their way. Some bug bounty platforms provide the ability to tag people, to assign a vulnerability to different groups and to add your contractors and vendors to a report. This makes communication and collaboration as streamlined and as simple as possible.
Bug bounty platforms can support organisations of all sizes, and there are businesses effectively reaping the benefits of crowdsourced security testing on their other digital assets, and are beginning to take proactive measures to engage hacker communities.
Laurie Mercer, security engineer, HackerOne