Bugs exist in software. That's a fact, not a controversial statement. The challenge (and controversy) lies in how different organizations find the bugs in their software.
One way for organizations to find bugs is with a bug bounty program. Bug bounties are not a panacea or cure-all for finding and eliminating software flaws, but they can play an important role.
In this first installment in an eSecurity Planet series, learn what bug bounties are all about and how they have helped some of the world's leading organizations improve the security of their software.
- What is a bug bounty?
- How bug bounties improve security
- Bug bounty statistics
- Bug bounties gone wrong
- Bug bounty platform vendors
A bug bounty is simply a reward paid to a security researcher for disclosing a software bug in a piece of software.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
The best bug bounty programs work as a structured program, with an organization providing security researchers with some ground rules and policies for submission. Bug bounty programs can be run by organizations on their own, or via third party bug bounty platforms.
Another core element of a bug bounty program is a proper understanding of what constitutes responsible disclosure. A security researcher participating in a bug bounty program should privately disclose a bug to an affected vendor and not publicly disclose that flaw until after the flaw is fixed and the vendor agrees to the public disclosure.
Bug bounties are an important tool that can aid organizations in finding potential vulnerabilities. But the programs have often been misunderstood, which is why the nature and purpose of bug bounties were publicly detailed in a U.S. Senate hearing on Feb. 6.
"We need hackers," Marten Mickos, CEO of bug bounty platform HackerOne, said during his Senate testimony. "Our goal must be an internet that enables privacy and protects consumers. This is not achievable without ethical hackers taking an active role in safeguarding our collective security."
"Hackers are truly the immune system of the internet," he added.
Justin Brookman, director of the Privacy and Technology Policy Consumers Union, which is the policy and action arm of Consumer Reports, is also a supporter of bug bounties when used properly.
"Consumers Union is a strong proponent of bug bounty programs, and believes that they play a crucial role in a data security ecosystem that has failed consumers far too often," Brookman said during the Senate hearing. "Used properly, bug bounty programs enable companies to learn of breaches and vulnerabilities, in service to the larger goals of protecting consumer data and alerting consumers to threats as warranted and/or required by law."
Google operates one of the largest bug bounty programs in the industry to help improve the quality of its technologies. In 2017, Google paid a total of $2.9 million to 274 security researchers who participated in its bug bounty programs. A total of 1,230 individual awards were paid out to the researchers, with the largest single award coming in at $112,500.
Facebook also operates a large bug bounty program and awarded a total of $880,000 for flaws that researchers reported in 2017. The average bug bounty payout by Facebook in 2017 was $1,900.
Looking at a broader base, HackerOne, which provides managed bug bounty programs for organizations, found that in 2017 the average bug bounty for a critical vulnerability was $1,923, although payment varies across different industry categories.
Bugcrowd also provides a managed bug bounty platform and has its own set of data on vulnerability payouts. Bugcrowd's 2017 State of the Bug Bounty report found that the average bug across all categories was $451.
While the promise of bug bounties is that they reward researchers for doing the right thing, they can also go wrong too. In 2016, Uber used the HackerOne bug bounty platform to pay hackers who had stolen information on 56 million people from its systems.
"We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company," Uber Chief Information Security Officer John Flynn stated during his Senate testimony. "The approach that these intruders took was separate and distinct from those of the researchers in the security community for whom bug bounty programs are designed."
Katie Moussouris, CEO of Luta Security, helped to create Microsoft's first bug bounties and worked with the U.S. Department of Defense to build its bug bounty program, known as hack the pentagon. Moussouris made clear during her Senate hearing testimony that paying a researcher for a data breach is not a bug bounty.
"There is a difference between paying $10,000 for a bug and paying $100,000 for a breach," Moussouris said. "If the legal market for bugs becomes muddied with extortion payments that are exponentially higher, we will be building the wrong kind of market, and consumers will be the victims instead of the beneficiaries of enhanced work with hackers."
Back in January 2016, eSecurity Planet posted a video with Bugcrowd staffer Kymberlee Price on how to set up a successful bug bounty program. At the time, Price was the senior director of researcher operations at Bugcrowd, a position she held until 2017. Price currently works as an open-source security management lead at Microsoft.
The same lessons outlined by Price for running a bug program in 2016 hold true today. In her view, running a successful bug bounty program involves more than just providing an email address that researchers can use to submit flaws. Bug bounty programs should also have a standardized submission form to help sort the incoming flow of research.
Watch the full video on how to run a successful bug bounty program here.
There are multiple bug bounty platform vendors in the industry today. In the next installment in this eSecurity Planet series, we'll review what each one does and how they differ.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.