Bug Bounty Myth #5: They don’t yield high value results.

Although bug bounties have gained incredible traction over the past year, many people still have questions and misunderstandings about what they are and how they work.

In the past several weeks, we’ve been addressing some of those misconceptions in our guide, 7 Bug Bounty Myths, Busted. So far we’ve…

  • Discussed the misconception that bug bounties are all public
  • Examined the types of companies engaging with the bug bounty model
  • Debunked the perception some have that bug bounties are too risky
  • Talked about the hackers who participate in bug bounty programs.

Today we’re getting down to what it’s all about… the results.

Myth #5: Bug bounties don’t yield high-value results.

In the market, it’s a common misconception that bug bounties are only useful for finding ‘low-hanging fruit’ bugs such as vulnerabilities that can be found by scanners. This is untrue; in fact, the priority system Bugcrowd has standardized favors high impact vulnerabilities and disincentivize out of scope and excluded vulnerabilities which commonly include vulnerabilities found by most scanners.

Furthermore, because of the diversity in researcher demographics and motivations, bug bounties produce a much larger breadth of vulnerabilities than penetration testing or vulnerability scanners do – 7 times more to be exact. Vulnerability scanners are only adept at finding bugs they have been programmed to discover, and penetration tests are limited by the skill and knowledge of the few testers engaged.  

What kinds of bugs do they find?

Of the tens of thousands of valid bugs our researchers find, thousands of high severity bugs, in a wide range of bug types, are found and fixed by our customers. Bug bounty programs often find bugs listed on OWASP’s Top Ten, as well as less frequently seen vulnerabilities. For a detailed view of many of these vulnerabilities, reference our Vulnerability Rating Taxonomy.

In addition to producing a wide breadth of vulnerabilities, bug bounty programs–as proof of the above bug writeups–discover incredibly high-value vulnerabilities as well.

How do bug bounties fit with traditional security assessment methods?

Given the cybersecurity landscape, we’ve always been proponents of a layered approach to security, prioritized based on specific organizational capabilities, needs, sensitivities, and goals. It’s also no secret that, no matter how advanced, automation only goes so far–it can only find what it knows to find. Penetration tests have a place in many security programs also but are limited in perspective and in time and effort. This leaves a gap that requires human creativity to fill, and crowdsourcing that creativity is by far the most effective way to bring it into the mix.

Through working with our incredibly diverse and talented crowd, our customers have seen unprecedented results in their private and public bug bounty programs.

Stay tuned next week for our next myth-busting blog post on budgeting your program and download the 7 Myths Guide to get a look at the most common bug bounty misconceptions.