Not a week goes by without a news report that talks about either a data leak or a hacker attack. According to a recent PWC CEO Survey Report, more than 40% of CEOs are worried about the cyberthreats. And they have good reason to be worried: a recent report compiled by the Center for Strategic and International Studies, states that nearly $600 bn has been lost to cybercrime in 2018 alone. As a result, global spending on cybersecurity has risen 17% in the past 2 years and is projected to be more than $96 Bn in 2018. Luckily, the cybersecurity industry has a solution that can provide an effective defense against hacker attacks. This solution is bug bounty programs. Even though bug bounty programs have been invented two decades ago, it’s only in recent years they have become more or less well-known solutions that companies employ to fend off hacker attacks. That being said, there are a lot of bug bounty myths regarding the whole process. In this article, we would like to debunk the most common Bug Bounty myths:
Myth number 1: Only large companies run bug bounty programs
That used to be correct in the past, for a simple reason – only large companies had both the media presence and qualified personnel to successfully conduct bug bounty programs. With the rise of bug bounty platforms, such as HackenProof, that’s not the case anymore. Bug bounty platforms help almost any kind of businesses launch and manage successful bug bounty programs.
The market for bug bounty programs is growing at an ever faster pace. Just look at Gartner’s latest research that says that more than 50% of large corporates will employ crowdsourced security testing by 2022.
As products and companies grow, it becomes more and more difficult to maintain an adequate level of security. At scale, bug bounty programs become more and more cost efficient compared to conventional penetration testing.
Myth number 2: Hackers can’t be trusted
This is a quite common misconception among the business community. We hear it all the time: “How can you guarantee that cybersecurity researchers won’t take vulnerabilities they find and sell them on the black market?” Quite a reasonable concern. There are two main points companies should bear in mind when it comes to white hat hackers:
1) White hat hackers are public figures. Being public is “part of the game”
We’ve interviewed a lot of white hat hackers during our work and we constantly ask them the question “why have you chosen a white hat hacker path?”
Their responses are always the same “I don’t want to go to jail”. Researchers genuinely enjoy what they do on a daily basis, they don’t want that to stop. The overwhelming majority states that they don’t do it for the money, but because they enjoy looking for vulnerabilities in software products. To prove the point – check out the Responsible Disclosure Policy of SproutSocial that specifically says “no compensation will be awarded for bugs found”. Yet, there is still a long list of researchers who have submitted vulnerabilities.
2) Legal bug hunting means you can gradually build a reputation
Another big advantage of being a white hat is that one can continuously build up his reputation as time goes by. With every vulnerability found, white hat hacker gains reputation points, as well as monetary rewards (that can be tens of thousands of dollars per vulnerability in some cases). Bug Bounty platforms feature leaderboards, where cybersecurity researchers compete with each other. Bug Bounty platforms award top researchers with custom merchandise. After a certain amount of time, successful researchers become influencers and are being asked to give talks at conferences and are being invited to participate in bug bounty hackathons across the globe.
3) Selling vulnerabilities on the black market in most cases doesn’t make any sense
The black market is not interested in either low or medium vulnerabilities. Selling them on the black market would be close to impossible. At the same time, companies are prepared to pay top dollar for critical vulnerabilities on their bug bounty programs. Bounties for Remote Code Execution can easily cost tens of thousands of dollars.
In addition, the black market is a hostile place, where people get scammed all the time, so selling anything on it is not exactly a walk in the park.
So, to sum up, selling vulnerabilities to companies via bug bounty programs is easy, legal and can make researchers a lot of money.
4) Background checks
When dealing with clients that want an extra layer of confidence, we offer private bug bounty programs. We hand-pick researchers that we’ve verified personally and we can also conduct background checks, upon client’s request.
Myth number 3: Bug bounty programs don’t yield results
This myth is easy to bust by looking at the numbers. Let’s start with the big companies that everyone is familiar with. A recent report says:
- Google has paid more than $12 million to bug hunters since 2010
- Facebook has received more than 12,000 submissions from researchers in 2017 alone! Bounties paid since 2011 exceed $6 million.
Both Facebook and Google wouldn’t have spent their time on bug bounty programs if they didn’t yield results.
In addition, we’d like to share quotes of our existing clients that reflect their experience with bug bounty.
“It’s been a great decision for Uklon to participate in an onsite bug bounty marathon – Hacken Cup. For 9 hours, 25 ethical hackers have been testing our website and mobile apps. Throughout the whole day, Uklon’s technical team have been discussing reported vulnerabilities with hackers that were present at the event. We have been genuinely surprised by the amount of work they have managed to do in a single day. I think that Bug Bounty Programs are a great and cost efficient way to strengthen security for large and mature companies.”
During the Hacken Cup hackathon, our white hat hackers have managed to report 30 verified vulnerabilities in just 9 hours of hacking. Conventional penetration testing would never yield comparable results in such a short period of time.
In addition, as Vitaliy points out, during an onsite bug bounty event companies have a unique opportunity to talk to white hat hackers directly. These interactions are very important, as it gives companies the opportunity to see how real hackers plan their attacks.
Bug bounty programs are so effective because hundreds of cybersecurity experts test client’s software for a prolonged period of time. Researchers on our platform have different backgrounds (web, mobile, IoT, smart contracts, hardware). That means that the chance of a bug “slipping by” is reduced to a minimum.
Myth number 4: They are too expensive and hard to budget compared to penetration testing
It’s important to look at the pricing policy of a bug bounty program, compared to penetration testing:
1) During a bug bounty program, companies pay only for verified vulnerabilities
During conventional penetration testing, companies pay for the procedure itself, regardless of how many vulnerabilities are found during the process. Bug bounty programs, however, pay bounties to white hat hackers only for verified vulnerabilities.
2) The client is in control of the budget at all times
Companies can easily put a “limit” on the bug bounty budget if they wish to do so. That way, a company can be certain that payments to researchers won’t go “out of control”.
Myth number 5: Bug bounties are hard to run and manage.
During a bug bounty program, companies usually prefer to “outsource” all the daily management process to a specialized team. By doing so, companies don’t have to distract their in-house technical team. Here’s how the whole process works when launching a managed bug bounty program:
- Bug bounty policy is being published on a bug bounty platform’s website and white hat hackers start looking for vulnerabilities within the scope of a program
- White hat hackers find and report vulnerabilities through a website of a bug bounty platform
- A triage team of a bug bounty platform verifies all vulnerabilities that are being sent by researchers and prepare reports for a client. Reports contain a description of a vulnerability and a detailed instruction of what needs to be done in order to fix a problem.
Managed bug bounty programs save companies a ton of time by taking on daily communications with white hat hackers that report vulnerabilities. The larger the company’s digital footprint, the more time can be saved by a managed bug bounty program.
Our digital era dictates the rules. Every year cyberattacks become more advanced and cybercriminals find new ways to breach systems and steal a company’s data, funds or trade secrets. Nowadays, due to cybersecurity vulnerabilities, companies may lose hundreds of millions of dollars as well as suffer a significant blow to their reputation. While corporations are aware of the problem and increase budgets for cybersecurity, conventional methods that were effective in the early 2000s aren’t going to be good enough today. In order to keep up with the constantly increasing number of advanced cyberthreats, companies have to adapt and recognize that cybersecurity is a continuous problem that requires constant diligence in order to suppress.
Bug bounty platforms connect numerous security researchers throughout the world with companies that are looking for continuous security testing.
The process benefits both parties. White hat hackers receive monetary rewards and reputation, while companies receive attention from hundreds of white hat hackers around the world.
Nothing in this world can guarantee absolute security, but bug bounty programs can significantly reduce the risk of a cybersecurity incident by utilizing a crowdsourced security approach. We hope that we’ve managed to debunk at least some of the bug bounty myths you thought were true.
To learn how you can minimize the risks of your cloud infrastructure becoming exposed – contact us for a free consult.