Software bug bounty hunting is big business, and more and more companies are offering sizeable sums to researchers, developers, and hackers who find bugs in their operating system, code, or application. The benefits are clear: find vulnerabilities before a malicious entity—or the public—does, and make the appropriate fixes.
Over the summer, Apple announced it was offering up to $1 million to researchers who find security bugs in iPhones. Previously, Apple offered bounties only to invited researchers who attempted to exploit its phones and cloud backups, but now anyone can participate.
Many other large organizations offer bug bounty programs now, including Google, Facebook, Yahoo!, Microsoft, and even the U.S. Department of Defense.
However, security observers say bug bounty programs are not always a panacea, and organizations should not assume that implementing them means they've done their due diligence when it comes to protecting their organization.
"Should they be [using bug bounties] to the exclusion of other things? The answer is no,'' says Christina Richmond, principal analyst in cybersecurity services at the Enterprise Strategy Group (ESG). Richmond says organizations should be performing a combination of continuous testing, vulnerability scanning, and penetration testing, as frequently they can, in addition to offering bounties for the identification of security vulnerabilities.
One reason to not rely on bug bounties alone is the integrity of the bounty hunter. Organizations don't always know whether they are dealing with a "white hat" or ethical hacker who uses legal means to search, find, and disclose flaws, or a "black hat" hacker who seeks to break into a network or system with malicious intent.
Nearly a quarter (23%) of respondents to an ESG survey of 220 security professionals conducted during the summer of 2019 said they are using crowdsourced security services such as bug bounties. The survey found most users of crowdsourced security believe it harnesses white hat security researchers to find and eliminate vulnerabilities on the most critical attack surfaces: Web and application programming interfaces on server/cloud, mobile and IoT platforms.
The Cost of Bug-Hunting
Bounty hunters don't come cheap. The non-profit Hactivity, run by the HackerOne cybersecurity firm, says payments to successful bug hunters range from $500 to $50,000 for identifying different levels of software security vulnerabilities.
"The main negative is cost," observes Kevin Curran, a professor of cybersecurity at Ulster University in Northern Ireland, as well as executive co-director of the university's Legal Innovation Center, and group leader of the Ambient Intelligence & Virtual Worlds Research Group. "To run a successful bug bounty program requires paying competitive prices,'' says Curran, who is also a senior IEEE member. "The risks of not doing so, however, are that exploits find their way into the hands of hackers."
Another negative is the difficulty of finding qualified security professionals to participate in these programs, says Curran. Additionally, "There is also the risk of losing time on bug bounties which do not uncover any vulnerabilities or exploits," he says.
Before companies try to take advantage of a bug bounty program, they should tap inhouse staff or security consultants, because some vulnerabilities are common and easy to find, advises Katie Moussouris, founder and CEO of Luta Security. Though she thinks bug bounty programs have value, she says they are not appropriate risk management in and of themselves.
"Many of today's bug bounties are security theater pantomiming diligence, while masking security negligence, or just plain understaffing,'' says Moussouris, who created the first bug bounty programs for Microsoft and the Pentagon. "Most organizations could find the majority of bug bounty bugs themselves if they could fill all their open positions, because certain classes of bugs are simple to identify."
Programs also are not reaping impressive returns. Nearly 8% of public vulnerabilities in 2018 were identified through bug bounty programs, up from only 5.8% in 2017, according to RiskBased Security, a company involved in vulnerability intelligence, breach data, and risk ratings.
Yet, the popularity of bug bounties continues to grow. Over 300,000 hackers have signed up as bug hunters on HackerOne. Also, the ESG survey found that 88% of respondents believe bug bounty services provide "highly vetted, trusted security researchers."
Covering All Security Bases
For a company to be certain it is covering all security bases, it should have security protocols in place, and conduct automated security scans and some type of penetration testing.
"A well-run security team that is proactive about preventing, finding, and fixing 'low-hanging fruit' bugs can benefit from bug bounties focused on harder problems," says Moussouris.
"I like broadening the aperture … whether it's human-based testing like bug bounties or breach and attack simulation,'' agrees Richmond. ESG promotes the usage of technology it refers to as continuous automated penetration and attack testing (CAPAT).
When utilizing bug bounties, companies should be clear about their goals. "Bug bounties can differ in some aspects,'' says Curran, so companies should "outline the areas that they wish individuals to concentrate on, such as hardware, network, Web APIs, or database backend."
Many of the high-value security vulnerabilities reported to bug bounty programs are found by just a fraction of the individuals who take part in these programs, Curran says. Yet he believes the use of bug bounties will eventually become a necessity for all "serious companies" that are willing to pay out.
"The simple answer is that they are worth it,'' he says, "possibly under all circumstances."
Esther Shein is a freelance technology and business writer based in the Boston area.