Going Hunting: Could Bug Bounty Programs Bring Benefits to Your Enterprise?
Security-minded organizations know that the next cyber threat may be the worst. That’s why they take preemptive measures to protect their most valuable assets.
Bug bounty programs are an emerging trend undertaken by some forward-thinking industry members to gain valuable information on their security system, while repairing any vulnerabilities. These for-hire teams intentionally attempt to exploit your system’s weaknesses so that you can fix them before a more maliciously minded individual can wreak havoc on them. However, bug bounty programs alone are not the solution to complete security. Your company needs to take a comprehensive approach to cybersecurity including vulnerability assessments and penetration testing. A bug bounty program is simply an additional piece of protection.
Read on to find out more about these innovative programs and how your organization might benefit from using one.
A Brief History of Zapping Bugs
Bug bounty programs have existed for at least two decades, but they have only recently become common parlance for information security teams in the corporate world. In the mid-1990s, only about a dozen organizations offered bug bounties, starting in 1995 with a program dedicated to rooting out issues with the Netscape Navigator 2.0 web browser.
Large-profile companies, such as Google, Facebook and Microsoft, have all utilized bug bounties in addition to their robust security teams, lending credence and popularity to the trend. Mozilla, creator of the Firefox browser, created a bug bounty program in 2004 that continues to this day, and has paid out over $1 million in awards. Google’s Vulnerability Reward Program, founded in 2010, has paid out over $6 million, and Facebook’s program, which launched a year later, has given $4.3 million to researchers.
Fantastic Bugs and Where to Find Them
Bug bounties may focus on customer-facing websites, tools and applications, whereas others have specialties in software or even hardware. While the tech industry utilizes them most often, these code-cracking teams pop up in industries as varied as gaming, retail and travel. Of course, any bug bounty program requires extensive resources (or the resources of a well-equipped third-party) to manage, so be certain you have the money and time to devote to one.
One of these programs may be best utilized as a skillful extra set of eyes to your existing security practices. You might also consider giving your most critical functions an additional layer of scrutiny. Wherever the approach, bug bounties work most effectively when an organization’s security infrastructure is already developed, not when it is in its infancy or has yet to undergo rigorous testing.
Think about it: introducing a team designed to exploit vulnerabilities and seek out bugs when a security system is still growing will cost you significant time (and money) as you repair each issue. Bug bounty programs should be a finishing, not foundational, element.
Bugs, Bugs Everywhere
Several high-profile examples of bug bounty programs have encouraged many organizations to consider whether the strategy would be right for them. The sensitivity of digital information potentially compromised by cyber threats, and the widespread potential of hacking teams gaining access to this information, is helping to push bug bounty programs as a possible solution.
To Hack a Slack
In March, team collaboration and communication giant Slack reported that a researcher found a vulnerability in Slack’s code. This could have been used to assume control of an account via a compromised authentication token to read archived messages, a primary function of Slack’s highly utilized application.
The lauded researcher, a man named Frans Rosen working with Detectify Labs, detected the vulnerability and quickly created a proof-of-concept to show how a malicious webpage could masquerade as a phony server. Rosen contacted Slack through a hacker disclosure service, and Slack quickly repaired the issue within five hours of reporting. So far, no indications exist that the bug had been exploited in the last two years, and Rosen was paid $3,000 as a reward for his timely find.
Bugs-Be-Gone at the Pentagon
Last month, Hack the Pentagon founders Katie Moussouris and Lisa Wiswell discussed their initiative to create a groundbreaking bug bounty program for the U.S. government. After successfully convincing Microsoft to adopt a similar program in 2013, they helped launch Hack the Pentagon at the Department of Defense, despite considerable anxiety.
Moussouris, the CEO of her own security company, described Hack the Pentagon as “significant” and an unquestionable success. Wiswell added that “bug bounty programs are here to stay” for the U.S. government, and has found herself consulting other departments on how to run successful programs of their own.
Hacking for Good
The Pwn2Own hacking contest, founded by the Zero Day Initiative, is a modern-day example of using bug bounty programs in a high-profile platform, both to boost awareness of such programs and to assist in finding critical vulnerabilities.
Since 2007, Pwn2Own has taken place at the CanSecWest conference in Vancouver and seeks to find security issues within operating systems, browsers, plugins, applications, servers and virtual machines. This year they offered an $80,000 cash prize, among other lucrative rewards, to anyone who hacked web browsers Google Chrome or Microsoft Edge.
Letting the Right Ones In
Naturally, you will have concerns about allowing access to your source code behind your firewalls and other protective infrastructure. Particularly to a third-party intentionally designed to hack and break what you’ve tried very hard to build. You have limited visibility over the bug bounty hunters, and they may inadvertently access sensitive data in your system or further compromise your security through unexpected tests. A fundamental trust must exist between the program and the company utilizing it.
Who Can You Trust?
Should you wish to employ a bug bounty team, consider the model that Apple recently utilized, wherein they announced an invitation-only program. Allow small, elite and vetted teams to work for a few weeks on closed and confidential applications or websites to establish a working trust before opening up the process to your system at large.
Another option for modern security teams is to utilize third-party platforms, such as Crowdcontrol from Bugcrowd. Many popular companies, including Indeed.com, Jet.com, Western Union and Pinterest, have used Bugcrowd’s bounty programs over the past few years, and benefitted from their organization and management.
Talk to your company’s cybersecurity expert to get their recommendations for adding a bug bounty program to your existing security efforts.