The Efficacy of Bug Bounties

Product vulnerability search, mitigation, and revelation continues to evolve and many companies are considering the adoption of “bug bounties” to augment their internal research and development teams. The realization that a vulnerability undetected will have a deleterious effect on the company brand and potentially place their customers, partners, and clients at risk.

Popular Bug Bounty Programs

Bugcrowd, a prominent bug bounty program host, has identified “four key attributes” which are “used to assess, select, and evaluate individual researcher’s performance.”

These four attributes are:

How often submissions are accepted as “valid” by a program owner – researchers must maintain an acceptance rate of 50% or higher.

Frequency of a researcher’s submissions – only considered active if a submission has been made within the last 90 days.

Criticality and impact of vulnerability submissions, measured between 1.0 (critical) and 5.0 (low) – minimum priority rate of 3.99 required.

Maintaining a track record of staying inside scope of a bounty brief, following terms, and honoring all nondisclosure requirements.

Bugcrowd’s intent is to demystify the community and take a whack at destroying the stigma that those involved in testing and identifying vulnerabilities in products are themselves sitting with a foot in both the white and black hat worlds. Their transparent approach does just that.

HackerOne is another prominent bug bounty program. In a recent interview with Dark Reading, HackerOne’s CEO, Marten Mickos, highlights how security can never be 100 percent perfect, “but bug bounty programs are the most powerful way of preventing cyber crime.” He notes how the use of platforms, like HackerOne, continues to evolve as companies continue to evolve ways to identify vulnerabilities in the attendant disclosure. 

Katie Moussouris, CEO of Luta Security, notes how “bug bounties are applicable in certain circumstances,” in her recent interview with us. She goes on to say how some companies don’t have the wherewithal to address found bugs, while others may opt to not remediate, especially when the product may be close to end-of-life. Her advice: don’t think ‘bug bounty’ until you have handled those vulnerabilities your own team has revealed.

Three Bug Bounty Bills

Moussouris was participatory in the creation of the U.S. Department of Defense’s bug bounty program. The Hill tells us of three bills which the U.S. legislators are considering which would allow U.S. government agencies to create, when appropriate, bug bounty programs. These three bills are:

The Hack the Department of Homeland Security Act (S.1281) empowers the DHS to create their bug bounty program using security researchers who “register with DHS, submit to (a) background check, and receive a determination as to approval for participation.” The purpose of the program, to provide compensation for previously unidentified security vulnerabilities, and have the program managed by a commercial entity, which would include “executing the remediation of identified vulnerabilities.”

The Treasury Innovation Act (H.R. 3868) which empowers the Department of the Treasury to establish a bug bounty program which would provide “monetary compensation for reports of previously unidentified security vulnerabilities”, to establish an “expeditious process by which computer security researchers” are able to participate, “identify those “mission-critical operations” which should be excluded, and work with the U.S. Attorney general to ensure that security researchers are protected from prosecution.

Security America’s Voting Equipment (SAVE) Act (S.2035) provides for increasing the security of U.S. voting systems. The bill specifically calls out the success of the “Hack the Pentagon” pilot program carried out by DoD in 2016, as well as the numerous private sector bug bounty programs. The SAVE Act demands an assessment be conducted and a report on the efficacy of such a program to assist in securing the U.S. voting systems be submitted to various Senate committees.

The evolution of clearing houses like HackerOne and Bugcrowd, provide a means for companies both large and small to reach out to a “policed” environment to solicit participation in their specific bug bounty program. In sum, bug bounty programs reward responsible security research and serve to keep products safe. They serve as a force multiplier to every company’s internal vulnerability research program. Whether to offer money, goods, or positive attribution and notoriety to the participants of a bug bounty program are company specific considerations. 

About Christopher Burgess

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher served 30+ years within the Central Intelligence Agency. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, Secrets Stolen, Fortunes Lost - Preventing Intellectual Property Theft and Economic Espionage in the 21st Century (Syngress, March 2008).