Bug Bounty Programs Explained
In 1854, the window of Bramah and Co. at 124 Piccadilly in London sported a lock next to a small printed board, which stated: “The artist who can make an instrument that will pick or open this lock, shall receive 200 Guineas the moment it is produced.”
This is the first known example of a security bug bounty, where the lock’s manufacturers incentivized experts to find vulnerabilities in their product. It reassured the manufacturer that they should be among the first to know if their product had a weakness, and advertised the strength of their security to the wider public. And, of course, the lock was eventually picked, by the American proto-hacker and security professional, Alfred Charles Hobbs.
This blog will define bug bounty programs and cover what to expect when signing up for a bug bounty program, how they operate, and how security teams can make the most of them.
What are Bug Bounty Programs?
Bug bounties have evolved since the 1850s, really coming into their own 140 years later with the growth of the internet and Netscape’s decision to implement a bug bounty program in 1995, which offered financial rewards to developers who found and submitted security bugs in the browser Netscape Navigator 2.0. This approach was taken up by Mozilla, Google, and Facebook in the following years, before being formalized in a third party offering by Casey Ellis with the founding of Bugcrowd in 2012.
These programs are results-focused security initiatives that incentivize hackers to uncover and report security vulnerabilities. They provide ROI by offering financial rewards based on the criticality of bugs submitted, and simulate the actions of malicious actors to find and fix issues quickly.
Before getting into it, we should note that there are internally run bug bounties, just as there are internally run server farms, but this post will focus on managed programs, as they are almost universally considered more cost-effective and usable. If an AI company reportedly valued at $86 billion and focused on safety as a top concern works with a third party for its bug bounty program—not to mention tech giants like Microsoft and Google, plus highly-risk conscious government customers—then you can safely consider it to be best practice.
What are the Benefits of Bug Bounty Programs?
Bug bounty programs are effective because they:
- Greatly reduces cost per vulnerability compared with other security solutions
- Engage a diverse group of hackers by tapping into a broad array of talent
- Allow you to stay on top of the always-evolving landscape of security threats due to the principles of bottom-up competition in the platforms that that fosters continuous improvement and perpetual learning
- Offer a cost-effective way to discovering vulnerabilities and triage risks that internal security teams may miss
- Contribute to a reputation for taking security seriously among hackers and the broader security community by being willing to invest in results
- Provide continuous assurance that allows you to maintain the highest standard of security for critical assets
- Provide better line-of-sight into security ROI than traditional approaches by directly aligning costs with vulnerabilities based on their impact
Who Participates in Bug Bounty Programs?
Contributors to bounty programs are security experts who like to find novel ways of using and considering tools and processes, or hackers. Like Mr. Hobbs mentioned above, they are passionate about using their skills to improve security and thwart crime, and in today’s digital world, their skills are sorely in demand.
Contrary to their depiction in the media, most hackers are ethically motivated, applying their skills to help companies protect themselves rather than pursuing more lucrative opportunities in the black and gray markets. Bugcrowd’s Inside the Mind of a Hacker shows that 75% of hackers identify non-financial factors as their main motives to hack, and 96% believe that they help companies fill their cybersecurity skills gap, so they are a considerable force for good.
Hackers contribute to public bug bounty programs in a Darwinian market that is bottom-up, meritocratic and open to the world. This ensures program owners always have access to the latest skill sets and techniques, while incentivizing hackers to stay on top of the latest trends and developments.
You also have the option to buy private bug bounty programs, where only invited hackers can partake. This allows you to select for researchers from specific countries or backgrounds, with some providers even allowing you to restrict participants to those with security clearance.
What Services do Managed Bug Bounty Providers Offer?
Even the most sophisticated software and security companies work with third parties to manage their bug bounty programs. Handling the function internally means building and maintaining a software platform, as well as handling and triaging a potentially large volume of submissions. Add to this the need to staff the platform with security professionals in a market where talent is scarce, and it becomes apparent why so many companies opt for managed programs.
Overall there are several services that you should look for from a managed partner:
- Validation and triage: separating signal from noise is the most important part of any bug bounty program. Platforms add value by quickly identifying invalid or duplicate submissions, triaging based on criticality and ensuring bugs are fixed and hackers paid promptly.
- Custom curation of The Crowd: matching hackers to jobs based on skill set, performance, experience, and other metrics makes the process more efficient and helps you get results faster. Platforms that do this well rely on AI and advanced algorithms to match hackers to programs.
- Remediation at the level of SDLC: identifying bugs and fixes is only half the battle. Platforms should ensure that these fixes can be implemented within the SDLC to make the remediation loop as tight as possible.
- A SaaS platform built for multiple use cases: crowdsourced security is broader than just bug bounties, and the best providers will offer platforms that integrate with pen testing as a service, attack surface management, vulnerability disclosure, and similar security solutions.
What is the Difference Between Bug Bounty Programs and Penetration Testing?
Penetration testing, or pen testing, is a service where external testers mimic attackers to identify security vulnerabilities in a company’s assets. These tests are typically time bound and work to established methodologies, and they provide a final report that can demonstrate compliance to regulatory bodies. This sets them apart from bug bounty programs, which identify vulnerabilities based only on hacker ingenuity and can operate continuously.
Penetration Testing as a Service (PTaaS) is an improvement to bring the practice in line with modern capabilities. It simplifies and accelerates onboarding, provides integration with the SDLC and other crowdsourced security services, and speeds up the reporting process, all while maintaining the core strengths of operating to defined methodologies and offering clear reporting.
Pen tests and PTaaS are more appropriate if you:
- Have specific compliance requirements to meet industry regulations like HIPAA or PCI DSS, and require a pen test with a formal reporting function
- Want to take a “pay for time” approach to ensure coverage based on a predetermined checklist/methodology
- Have internal controls that require time-bound testing of new products or functionality before they ship
Bug bounty programs are more appropriate if you:
- Want to take a “pay for impact” approach to incentivize the discovery of high-impact vulnerabilities without a predetermined checklist or methodology
- Are looking for a wide range of hackers to apply their skills and experience to the problem to find novel vulnerabilities and fixes
- Want 24/7 coverage of your assets
As you can see, these are complementary rather than competitive services, and companies that take security seriously will typically invest in both services and integrate them on a crowdsourced security platform. For more details on the differences and complements between pen testing and bug bounties, see the Bugcrowd blog on the topic.
What Factors to Consider Before Starting a Bug Bounty Program
- What is in scope? You pay for results, but some results are more valuable than others. Start with a narrow asset range and look at the capacity that this demands. Once you have a good indication of ROI, expand it based on your resources and strategic priorities.
- Public or private? It helps to start small, with a private bounty program that matches the most relevant hackers to your task. Once you’re comfortable with the rate of vulnerabilities uncovered and their remediation, open it to the public to make the most of The Crowd’s collective intelligence.
- On-demand or ongoing? Continuous coverage is the best way to identify security risk quickly and effectively, but not every development environment can keep up with submissions and security budgets might not stretch to cover this level of work. You should start with a point-in-time program, then extend it when you’re comfortable with ROI and confident in the agile development methods needed to make fixes quickly.
- Which integrations to prioritize? Bounties come with operational challenges, and getting the development side right means being confident about integrating with your back end. A good bug bounty program should integrate into the SDLC and work with developer and project management tools like JIRA, GitHub, Trello, and Slack.
How to Develop a Bug Bounty Brief
There is enormous security talent available in The Crowd, but it’s only as useful as your ability to harness it. Getting the brief right sets expectations for hackers and gives direction on what success looks like. Providing a concise, unambiguous brief gets you results quickly and more effectively and reduces the need for triage.
The brief should set out the below.
- Scope – Clearly sets out the assets that are in range for testing, leaving nothing open to interpretation. Narrow scopes are better for beginners, but not so narrow that it is unattractive to hackers or fails to add security value.
- Focus – Adds context to scope by highlighting areas that are particularly important to you. This can include bug types, specific functionality, new features or similar subjective properties of your assets.
- Out of scope – Further clarifies scope by stating what is ruled out. The most common example is hosts that resolve to third party services.
- Rewards – Expected payouts, this should be correlated to market prices to ensure you’re attracting the right talent.
- Disclosure – Whether, and how, hackers can expect to take credit publicly for bugs found. We recommend public disclosure to build strong relations with hackers and demonstrate an understanding of security dynamics, but it is your decision.
TL;DR–Bug Bounty Programs
Bug bounty programs rely on harnessing the skills of the world’s security talent, known as The Crowd. They offer continuous coverage for assets and quickly surface novel vulnerabilities, while pairing well with formal and compliance-based security such as pen testing. Making bug bounties work for you means knowing the strengths of the program and planning your brief and financial incentives to maximize these strengths. Getting the most out of the program means knowing the strengths and how to pair it with other solutions like PTaaS and Attack Surface Management.
