HackenProof Blog / Industry News / HackenProof: Bug Bounty Programs and GDPR Compliance

HackenProof: Bug Bounty Programs and GDPR Compliance

What is HackenProof?

HackenProof is one of the projects functioning within the Hacken ecosystem. HackenProof organizes bug bounty programs on its professional platform for companies representing the crypto world and other industries during which white hat hackers from worldwide may try to test their hacking skills by detecting vulnerabilities in clients’ systems in exchange for rewards. Apart from running bug bounty programs following clients’ requirements, HackenProof provides penetration testing services to businesses striving to determine how vulnerable they are to cyberattacks. The community built by HackenProof unites 5K+ researchers who have helped clients identify 850+ security vulnerabilities. For more detailed information about HackenProof, the specifics, and the value of work the company performs for its clients, please view the following material

What is a bug bounty program?

The bug bounty program is a continuous security testing option whereby independent white hat hackers can get financial rewards for the vulnerabilities detected in clients’ systems. The terms and conditions of the program are determined by the companies applying for this type of security testing. Bug bounty programs do not fully substitute other forms of security testing but rather supplement them. Companies may either run bug bounty programs on their websites or apply for services provided by professional vendors like HackenProof. You may find more info about bug bounty programs and their benefits for businesses in the following publication.

Bug bounty program & end-to-end encryption

Under the General Data Protection Regulation (Recital 83), entities are recommended to implement such measures as encryption to mitigate the risks associated with data processing and, thus, this instrument may not be referred to as mandatory. That is why the use of encryption does not obligatorily make companies GDPR compliant. At the same time, under this regulation (Article 32), companies have to take appropriate technical and organizational measures to ensure data protection. In this context, both bug bounty programs and encryption may be viewed as security measures by implementing which companies can get closer to becoming GDPR compliant. 

  • Encryption makes data unreadable for unauthorized users and is widely used when transferring information. 
  • Although encryption may be viewed as a highly recommended measure to ensure data security, it does not guarantee 100% protection of personal information since there is always the risk that human mistakes or improper implementation can lead to data leaks. 

That is why it is highly recommended for companies to apply for bug bounty programs to identify the channels through which data leaks may take place. Generally, bug bounty programs and data encryption are the 2 security measures that complement rather than substitute each other. 

Bug bounty program & GDPR compliance audit

Although there is no precise algorithm by implementing which companies can become GDPR compliant, there is a list of basic recommendations following which companies can significantly increase their chances to pass the GDPR compliance audit. Companies need to take into account data protection from the time they start working with information. Since the bug bounty program is a continuous security testing instrument, it may serve as a great confirmation for authorities of the data controller’s focus on security. By running bug bounty programs companies build awareness about data protection among their employees.

Besides, when preparing for running a bug bounty program on professional platforms, companies conduct information audits to determine how much information they have and where they store it. By completing these activities companies become more transparent, which is also one of the required conditions to become GDPR compliant. And, what is most important, bug bounty programs allow companies to detect and eliminate critical and high severity vulnerabilities and bugs the exploitation of which by malicious actors may result in data thefts and leaks. As a result, companies can increase the level of protection of the information they work with. Generally, by preparing for and running bug bounty programs companies may meet some of the main requirements to become GDPR compliant. 

How much can entities save by running bug bounty programs?

When companies fail to ensure the protection of clients’ information, under the GDPR, they can face financial penalties. Generally, there are 2 levels of fines depending on the severity of violations. For less severe infringements, the company that has violated the GDPR provisions has to pay fines of up to €10 million or 2% of its annual worldwide revenues, whichever amount is higher. For more serious infringements, the company that has violated the GDPR provisions has to pay fines of up to €20 million or 4% of its annual worldwide revenues, whichever amount is higher. The fines are administered by the data protection regulators of each EU country. The amount of fines imposed on a company depends on 10 criteria including whether the company has taken adequate precautionary measures. In this case, by running bug bounty programs companies may show that they have taken serious precautionary measures to prevent data theft and leaks and, as a result, the sum of fines they will have to pay in case of data infringement will be reduced. 

In 2020, British Airways was fined £20 million by the Information Commissioner’s Office for its failure to take appropriate security measures to prevent the data breach that took place in 2018. As a result of this breach, the data belonging to 400,000+ customers were compromised. It took the company over 2 months to detect the attack. According to the ICO, the company did not undertake appropriate rigorous testing in the form of simulations of cyberattacks. In 2019, Bulgaria’s data protection authority, the Commission for Personal Data Protection, imposed a fine of over €2.6 million on the country’s National Revenue Agency (NRA) for its failure to prevent a personal data breach. The data breach affected over 5 million Bulgarian citizens. The national authority recommended the NRA to enhance its data protection mechanism to prevent the occurrence of similar incidents in the future. Consequently, it is reasonable to suggest that by running bug bounty programs entities can avoid facing financial fines of up to a few million USD. 

How much do you need to spend on a bug bounty program?

The budget of running a bug bounty program is not fixed and, generally, depends on the scope and quality of work performed by independent researchers. Subscription and bug fees are determined by vendors providing professional platforms for running bug bounty programs while the sum of rewards paid to independent researchers is determined by companies applying for this type of security testing. That is why there are no fixed estimations of the costs of running a bug bounty program for companies but, on average, for SMEs, this sum starts from $10,000-$20,000 while for big corporations the total cost may equal up to a few million USD. However, these figures are much smaller compared to the fines that may be imposed on companies under the GDPR for their failure to prevent data breaches. For a better understanding of how much you may need to spend on running a bug bounty program, you may view the subscription plans offered by one of the most trusted bug bounty platforms – HackenProof.