Bug Bounty Myth #1: All Bug Bounty Programs are ‘Public’


  •  
  •  
  •  
  •  

This year, bug bounties have hit an all-time high in the news, and are well on their way to becoming a necessity in any mature security organization. Because of that buzz and the positive traction the bug bounty space is seeing, it’s easy for us to forget that this is still a new approach to security that not everyone fully understands. That’s why we’ve put our ears to the ground to pick up on some commonly held misconceptions about how they work, why they work, and for whom they’re ideal. 

This week we launched our 7 Bug Bounty Myths, BUSTED report to debunk some of the biggest and most common bug bounty myths. In the upcoming weeks, we’ll dissect these myths one by one.

To kick it off, we’re talking about the number one most common misconception we hear in passing–on tradeshow floors, from fellow developers, and even within the growing security researcher community.

Myth #1: All bug bounties are ‘public,’ inviting the whole world to hack your applications

All too often we hear ‘My application can’t stand up to that volume of testing’ or ‘We can’t risk external researchers coming into contact with our customer data’ or ‘I need to know who is testing my applications.’ Although public programs are great solutions for many organizations and we believe that all organizations should strive to have some form of public vulnerability disclosure channel eventually, those concerns are valid. Enter private bug bounty programs.

Evolution of Bug Bounties from Public to Private

It is true that many bug bounty programs are public. And yes, the first bug bounty launched by Netscape 21 years ago, and the several that followed directly after were open to everyone contests. Bug bounties have come a long way from the public, open-to-anyone competitions that were popularized by those tech giants. Today the majority of bug bounty programs are private, invite only. 

Value of Private Bug Bounties

Private programs offer organizations the opportunity to utilize the power of the crowd– volume of testers, diversity of skill and perspective and competitive environment–in a more controlled environment. Organizations often run private programs for a few of the following reasons:

  • Welcome testing to a smaller, curated crowd of testers who must be invited to join
  • Facilitate testing on harder to access applications such as applications that require unique credentials, or devices that must be distributed
  • Focus testing on a small subset of an attack surface to meet organizational testing needs

Additionally, organizations looking to improve upon penetration tests while fulfilling quarterly testing needs or compliance requirements are starting to run on-demand bounty programs. Our On-Demand Programs utilize invitation-only researcher for a time-boxed testing period, similar to a pen test, but harness the crowdsourced model of paying only for valid results rather than for effort or time.

Private Program Participate

Anyone can sign up to become a Bugcrowd researcher to participate in public bug bounty programs. As bug hunters submit bugs to public programs, climb the ranks within the community, they have the opportunity to gain access to private programs.

Bugcrowd researchers are vetted and measured in four areas:

  • Activity: We encourage our researchers to stay active within the community. Researchers who have been active within the past 90 days receive more invitations to private programs.
  • Quality: Researchers must submit valid findings, staying in scope and adhering to brief guidelines. More than 50% of their submissions must be ‘accepted’ by organizations, which encourages quality submissions.
  • Impact: High-value findings are also important. To receive invitations to private programs, researchers must have an overall average priority rating better than 4.0.
  • Trust: Perhaps the most important measurement, researchers must consistently adhere to our community Code of Conduct, Standard Disclosure Terms, as well as adhere to individual program disclosure policies. Professionalism and respectfulness are important, and researchers must exhibit consistent both of those values in communicating with both Bugcrowd staff and program owners.

Only the top performers who have proven their skill and trustworthiness receive invitations to private programs.

Which companies run private programs?

By default, public programs receive more organic press and marketing exposure, garnering attention from a larger pool of testers. Private programs benefit from being discreet and frequently go on without any external recognition. That having been said, you can learn more about some experiences from a couple of our customers who ran or are currently running private bounty programs.

These are just a few of our private customers that have shared their experiences working with a private crowd. It is also important to note that many of our customers running public bug bounty programs today may have started out private such as Western Union, Okta, Fitbit and more.

Want to learn more about common misconceptions around bug bounty programs? Download our 7 Bug Bounty Myths, BUSTED report to learn more.