Why more and more companies are turning to bug bounties

Why more and more companies are turning to bug bounties

As systems grow ever-more complex and cybercriminals grow in number and expertise, there is a growing pressure to ensure your organization is safe and secure.

But with a global shortfall of cyber-security talent expected to reach 1.8 million by 2022, finding enough bodies with the right talent to find and plug every hole in your company’s cyber defences is a constant struggle for many.

As a result, many organizations are turning to crowdsourcing. There is a growing acceptance of ethical hackers as a viable outsourcing option in a scheme known as bug bounties.


The rise of bug bounties

The concept of bug bounties – where companies invite hackers to test their systems and report discovered vulnerabilities back to the company in exchange for a reward – has been around for nearly 25 years. In 1995, Netscape launched the ‘Netscape Bugs Bounty’ program to let people find bugs in beta versions of Netscape Navigator 2.0. Rewards included up to $1000 cash, Netscape swag, and ‘bragging rights’.

What’s the appeal of bug bounty programs for businesses? Check out: Testing the waters: The value of ethical hacking for business

Today the likes of Microsoft, Google, Intel, CloudFlare, Facebook, Chrysler, GM, Uber, GitHub, Kaspersky, the Singapore Ministry of Defence, US Air Force, Army, Department of Defense, and even the Pentagon now run bug bounty programs and competitions.

“A couple of years ago you could count the number of the bug bounty programs that exist on one hand, and now there are more than a thousand of them,” says Michiel Prins, co-founder of HackerOne.

HackerOne, founded in San Francisco in 2012, has raised over $74 million and boasts over 160,000 hackers on its platform, and is one of a number of startups acting as a facilitator between company and hacker for bug bounty programs.

Others include fellow San Fran-based Bugcrowd, and Synack of Redwood, California. These companies boast large communities, healthy funding rounds, and a number of high-profile customers. The model is largely the same across the board; hackers sign up to the platform, see which companies are currently running bug bounty programs (and the terms/scope of what they can investigate), go out and see what they can find, report their findings back to the platform, and once their findings are validated, get a cash reward.

Study from Nuix gives insight into the thoughts and actions of professional hackers. Find out: How hackers hack

Previously described by CSO Online as ‘the Match.com for security researchers’, Bugcrowd has raised just shy of $50 million since 2012, claims nearly 80,000 researchers, managed around 700 programs and submitted over 87,000 valid vulnerability submissions.

“Over the past three to four years we’ve seen a significant acceleration in program launches as well as growing adoption beyond technology companies and traditionally early-adopting organizations to the broader market,” says David Baker, CSO of Bugcrowd. “We’ve seen a large number of more conservative verticals like finance and government adopting the crowdsourced security model.”

“The core issue that people are realizing is that they are more vulnerable than they are being told. There’s also just not enough people around with the right security skill set to truly mitigate every risk and uncover every vulnerability within their organization’s ecosystem. The way a distributed resourcing model works is it gives people easier access to more talent to solve problems that they are actually unable to hire for.”

“While we recommend companies to start in private programs, it’s encouraging to see a growing number of companies take their programs public as this means the organization has built enough confidence in the blueprint.”

For both HackerOne and Bugcrowd, the hackers themselves generally come from the US, India, and Europe, while the companies running the programs are still mostly US and Europe with a growing interest from APAC.

“We're seeing a lot of uptick from companies based in Asia,” says Prins. “Especially in blockchain-based businesses; there's a lot to lose with these types of businesses so they recognize the importance of running bug bounty programs.”

One company which has benefited from embracing the crowdsourced model of security is software repository startup GitHub, which has run a bug bounty program since 2014.

Greg Ose, GitHub’s Application Security Manager says being able to tap into a broad set of researchers, enabled the company to tap into specializations and experience it doesn’t have internally.

“For example, a researcher may have focused their work on SAML or OAuth authentication flows and vulnerabilities, and that specialization could be instrumental in finding similar vulnerabilities when applied to GitHub.com.”

Legislation is at least raising the issue of proactive security tactics. But is proposed US ‘hacking back’ law really going to help?

“Another benefit over traditional assessments is that assessment work via the Bug Bounty program is constantly ongoing. While internally we focus our review work on new features and functionality, external researchers tend to dig into all facets of the application, even areas we may not have reviewed recently. A fresh look at these areas may uncover a vulnerability that had been overlooked in the past.”

“It also prompts us to take a deeper look into vulnerabilities and work with other teams to find architectural solutions. Sometimes a vulnerability we receive impacts not only the area of the application that the researcher identified, but other less obvious areas. We use vulnerabilities from the Bug Bounty program as a starting point to investigate and ensure that we are protected from and properly handling the underlying issues in other areas. Often, this leads us to work with GitHub’s Product Security or other engineering teams to implement architectural fixes, as well as tests that ensure the same vulnerabilities do not get reintroduced in the future.”


Why pen-testing isn’t working

To many, bug bounties might sound like penetration testing on a bigger scale. And they’d be right, to a certain extent. But bug bounties offer more than a bigger team of hackers.

Bugcrowd’s Baker argues the penetration testing model is “fundamentally flawed” due to the fact such testing usually involves just a few people to produce a snapshot of your systems from one point in time.

“How many actors put how many hours into probing your systems for vulnerabilities? Is paying one or two people, no matter how competent they are, for forty or eighty hours of their time going to put your company in the position to be able to compete with a crowd of bad actors to find the flaws first?”

“The current pen testing model can’t be continuous, and thus, can’t keep up with agile development.”

HackerOne’s Prins, however, argues that the two aren’t mutually exclusive.

Professor Giovanni Vigna, CTO and co-founder of Lastline, explain why Machine Learning in security can be a tricky game… Welcome to the world of adversarial machine learning

“You can absolutely do both at the same time. We have customers that do both, sometimes because they have a customer that demands them to do traditional Pen-test or they have regulatory compliance that demands they do traditional plan-testing. A lot of our customers do the minimum required of pen-testing and supplement that with a bug bounty program.”

“A pen-test is a moment in time snapshot, one or two consultants at a firm looking at an application for maybe a week or two weeks, and then you wrap everything up into one report and the test is done.”

“Here you can work with 150,000 hackers, every one with their own way of thinking and way of attacking a system. And with a bug bounty there’s continuity; a bug bounty tends to be something that runs throughout the whole year, so you have someone looking at your systems 24/7.” 


Legal issues of penetration testing and how Vulnerability Disclosure Policies (VDP) help

Hacking companies outside of the confines of an official penetration test or bug bounty program has long been a legal grey area for hackers, even if their intentions are purely academic or altruistic. Many companies over the years have taken legal action against people that have found vulnerabilities.

Password manager provider Keeper filed a lawsuit against Ars Technica for its reporting of a now-fixed vulnerability in the company’s software. Last year security researcher Chris Vickery was sued by email marketing company River City Media after he found the company’s servers open online. PwC, FireEye, Cisco, and DJI are other companies which have used the threat of legal action against security researchers in recent years. Even internal researchers aren’t always safe; last year Salesforce reportedly fired two internal security engineers after they revealed details of an internal pen testing tool at a conference.

There is no shortage of legal advice for pen testers and companies online to ensure researchers are safe and companies can avoid damaging their reputation or exposing themselves to increased security risk. But many researchers have openly said they are worried about companies taking action against them if they try to talk publicly about their research. A Dropbox event went as far as publishing a template that other companies can copy to ensure clarity on all sides when it comes to reporting vulnerabilities to the affected company.

This lack of clarity and safety was one of the reasons Prins founded HackerOne is the first place.

“I was doing penetration testing with my co-founder [Jobert Abma] and we noticed was a lot of times you wanted to do a good and tell that company about a vulnerability. But it was very hard; nobody had contact information about how you can reach security teams and it can also be dangerous because you never know what's going to happen; are they going to send a lawyer or are they going to go to law enforcement? You never know what's going to happen even when you're trying to do the good thing.”

Sometimes governments try to intervene to bring clarity to this grey area, but rarely have the intended effect. A cyber-security bill put forward in Singapore originally required all penetration testers to go beyond mere certification and obtain a license in order to operate. Operating without a license would have been punishable by two years’ jail and up to S$50,000 ($36,000) in fines. Luckily this requirement was removed after a public consultation.

The US state of Georgia recently approved a cyber-security bill that, amongst other things, would make any kind of legitimate but unauthorized security research illegal. Originally the penalty for breaking this law would be a fine of up to $5,000 and year-long jail sentence, but this has been reduced to a misdemeanour.

The EFF opposes the bill, saying it “fails to clearly exempt legitimate, independent security research—such as that conducted by Georgia Tech’s renowned cybersecurity department—from the computer crime law.”

Craig Young, computer security researcher at Tripwire, warned the bill “could be abused to lock someone up who’s only ‘crime’ is recognizing a security concern and bringing it the attention of someone in a position to fix it.” 

“The end result is that altruistic hackers will likely stop looking for (or at least stop disclosing) vulnerabilities leaving only those with a truly malicious criminal agenda left to find and exploit the risks.”

The existence of companies to facilitate non-malicious hacking provides a safety net for hackers. And even if you don’t run a full bug bounty program, it’s in everyone’s interest that companies at least have a Vulnerability Disclosure Policy (VDP) in place.

“It's still dangerous to hack on a company that doesn't have a clear VDP or Bug Bounty Program where the rules are clear and you know what scope you have to operate in,” says Prins.

According to HackerOne’s 2018 Hacker Report, 25% of respondents said they were unable to disclose a vulnerability due to the company in question not having an established VDP, meaning companies are left insecure because they haven’t created an avenue for ethical hackers to reach them without fear of reprisal. The report says 94% of the Forbes Global 2000 do not have a VDP in place.

To try and prevent this, HackerOne offers a disclosure assistance service, where if any of its users find a vulnerability within a company that doesn’t have a VDP or bug bounty program, the HackerOne will find the relevant point of contact – for example the CTO or CISO - and act as an proxy between the hacker and the company.

“We’re creating a safe haven for companies to securely and safely work with hackers, and hackers can have an expectation of how these companies can respond.”

Bugcrowd’s Baker agrees that VDP’s are important, but it’s important for companies such as his to ‘broker the conversation’ to ensure a fair and understandable policy.

“Prior to the launch of any program, we work with our customers to outline their policies around disclosure (will they allow researchers to disclose vulnerabilities and when or will it be on a case-by-case basis).”

Sometimes, however, even having the right processes in place doesn’t cover every eventuality.  Google has repeatedly come under fire from Microsoft for disclosing vulnerabilities in Windows and Microsoft Edge before the Redmond company has issued fixes. One Google engineer called Microsoft difficult to work with, while Microsoft said such actions “puts customers at potential risk”.

The bright side is companies are becoming more open to receiving reports of vulnerabilities in their system than in the past. According to HackerOne’s latest survey of its users, 72% said companies have more open to receiving vulnerability information in the last 12 months.


Also read:
How a vulnerability disclosure policy lets hackers help you
The value of ethical hacking for business
How can companies close the cybersecurity skills gap?
What if we gave non-technical security issues vulnerability logos and names?
The InfoSec issues more dangerous than Heartbleed or Shellshock
Why does China spot security vulnerabilities quicker than the US?
US ‘hacking back’ law could create a cyber wild west of vigilantism
Hackers wanted
How hackers hack
Does hacking pay?


«C-suite talk fav tech: Todd Carothers, CounterPath


Typical 24: Patrick Dennis, Guidance Software»
Dan Swinhoe

Dan is Senior Staff Writer at IDG Connect. Writes about all manner of tech from driverless cars, AI, and Green IT to Cloudy stuff, security, and IoT. Dislikes autoplay ads/videos and garbage written about 'milliennials'.  

  • twt
  • twt
  • Mail

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.


Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.



Should the government regulate Artificial Intelligence?