If you pay peanuts, you get monkeys. It's an old expression, and it's one that Yahoo! appears to be heeding. Instead of rewarding security researchers who reported bugs in its applications with T-shirts and other corporate swag, the company announced that from Oct. 31 it is offering bounties of between $150 and $15,000 to people who bring new, unique or high-risk bugs to its attention.
In support of its bug bounty program, Yahoo! promises to review any application bugs submitted within a few hours, 365 days a year, 24 hours a day. The issues will be validated by a security team and the submitter contacted within 14 days.
Yahoo! is not a pioneer in this field: Many large companies including Facebook, Google, AT&T, and Microsoft offer similar programs. Bug bounty programs like these require a big commitment. They need both financial and human resources to review and validate bugs within a few hours, and there's no telling how many bug reports will come in on a given day.
Benefits of Bug Bounty Programs
Yet they are a highly effective - and cost effective - way of bringing bugs to light. A penetration test or security audit will normally cost a substantial fixed sum, offer the expertise of a limited number of security experts, and ultimately catch a limited number of bugs during the period that the test or audit is carried out.
A bug bounty program, on the other hand, works on a more efficient "pay per bug" basis. A huge number of potential experts can contribute, and since it's open ended there's no limit to the bugs that may be found. And as software is updated, bounty hunters can spot and eliminate new bugs.
That also means there's no limit to the amount of money that may be paid out in bounties -- although if a company like Yahoo! decides they no longer wish to spend money on bounties, they can simply close the program.
But what if your company doesn't have the resources -- either the staff or the expertise -- to run a big bounty program like Yahoo!'s?
Bug Bounty on a Budget
It turns out that this needn't be a problem, thanks to a number of startups around the world that are beginning to offer bug bounty programs as a service. These companies include Denmark-based CrowdCurity, Australia's Bugwolf and two U.S. companies, Synack and Bugcrowd.
The concept is exciting venture capitalists. Synack recently secured $1.5 million in seed funding from investors including Kleiner Perkins, while Bugcrowd raised $1.6 million from ICON Venture Partners, Paladin Capital Group and Square Peg Capital.
Each company works in a slightly different way, but as an example BugWolf will recruit or crowdsource security experts from around the word, vet them and organize them in to teams of about 10 people. Then, for a fixed fee of typically between $5,000 and $20,000, they will unleash these white hat hacker teams on your Web or mobile application, validate the bugs that they find, and distribute bounties to team members according to how many bugs they find and how significant they are.
"Our programs typically run for two or three days, and at the end we go back to the customer with a detailed report on the bugs that have been found, along with screenshots or screencasts," says Ash Conway, Bugwolf's CEO. "Normally the customer is quite taken aback about the volume and quality of bugs that we find."
Conway does not believe that bug bounty programs are a complete alternative to more traditional security testing measures. "We see ourselves as complementary to the penetration testing process," he says. "We can accelerate the testing cycle from weeks to days, but I don't think we'll ever remove the need for traditional penetration testing."
White Hats, Black Hearts?
An obvious question: How do you know the white hat hackers employed by a company like BugWolf really are white hats? What if they find bugs and keep quiet about them, preferring to sell them to someone else, or to come back another day to exploit them?
In Bugwolf's case that's not an issue, as the type of applications being tested are Web or mobile apps that already can be accessed by anyone. But what about the testing of more sensitive back-end applications?
Jay Kaplan, CEO of Synack, says that knowing the participants is key. "Our testers are highly trusted, and they go through our vetting process. We know who they are, and we keep the community small. We use security researchers and engineers from China, Bangalore, in fact from all over the world -- but if our customers are not comfortable with that, then we can offer people exclusively from the U.S."
Synack is also developed a testing "platform," so all bounty hunters will connect to the system through a VPN via Synack so the company can identify its own testers. "We will differentiate them from real attackers, and we can monitor them and take rudimentary measures to make sure nothing malicious is going on."
But Kaplan adds that ultimately it comes down to a matter of trust and reputation - just as it does when a company employs consultants or penetration testers to carry out a security assessment.
Synack's approach differs from Bugwolf's in that its engagements are much longer. "We run pilot scopes for about 90 days, but we hope our customers keep their programs running in perpetuity, as they are constantly adding new code to their platforms," Kaplan says. That makes Synack more similar to the type of ongoing bug bounty programs that Yahoo! or Facebook run, but it also means the programs are effectively open ended in terms of bounty budgets.
Kaplan doesn't believe that this is a problem, especially for larger companies. "If we uncover very critical vulnerabilities, then customers are happy to pay for them," he says.
Bug Bounty as a Service: Buying Advice
If you are considering using a bug bounty program as a service, here are some good questions to ask potential vendors:
- Duration: How long will the bug hunting program last?
- Vetting: What vetting procedures are carried out to ensure that bounty hunters are security experts and have good reputations?
- Quantity: How many eyeballs will scrutinize your apps?
- Monitoring: Do bounty hunters participate though a controlled testing platform? Does the platform allow for monitoring or measures such as throttling to prevent service disruption if required?
- Budget: Will the program be a fixed budget or an open-ended one?
- Reporting: What sort of bug reports and other documentation is provided, either on an ongoing basis or at the conclusion of the test?
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.