|
In Part 1 of “Bug Bounty Programs: Are You Ready?” we examined the growth of commercial bug bounty programs and what organizations need to do before investing in and launching their own bug bounty. In this part, we’ll discuss why an organization needs to launch a bug bounty program, and what limits the value they will likely extract from such an investment.
Down the Bug Bounty Path
As organizations contemplate bug bounty programs, it is important that they understand what can be achieved. Since the creation of commercial bug bounty management platforms, a lot of attention has focused on the “many eyes” and “global talent pool” pitch—implying that these new platforms enable more security researchers and bug hunters from around the world to disclose their latest findings direct to the organization behind the bug bounty.
Contributions to bug bounty programs are, unfortunately, much more nuanced than that. Over the last three years, largely due to the increasing number of bug bounty programs and growth of commercial bounty platforms, it can be argued that such programs are returning less security value than a decade ago—and that the value extracted from bug bounty programs will continue to fall going forward.
The primary reasons for launching a bug bounty program should be:
The primary reason an organization should be considering the creation of a bug bounty program is for media and public relations reasons. A bug bounty program is generally perceived as an invitation to the security research community and that the organization is not antagonistic and unlikely to pursue legal reprisal for disclosures of bugs.
This places those researchers at odds with the community if they choose to publicly disclose or sell vulnerabilities that were not initially disclosed through the bug bounty program. Should a researcher ever disclose a vulnerability publicly independent of the program, the affected organization can comfortably address the public that they had followed best security recommendations—and that the discloser is the villain.
Most organizations traditionally struggle to manage the third-party submission of bugs and security vulnerability disclosures. Well planned and operated bug bounty programs facilitate the triaging, remediation, and public disclosure aspects of inbound submissions. The primary value of commercial bug bounty platforms assuredly lies in their ability to workflow the disclosure process, track communications, and coordinate payments to the bug hunter.
Expectations versus Reality
It is likely that many companies approach bug bounty programs with an expectation of reducing the per-bug cost of discovery. In essence, there is a belief that bug bounties are a cheap and effective way of uncovering embarrassing or critical security flaws in an organization’s Internet-facing systems.
Purveyors of bug bounty platforms tend to extol the virtues of crowdsourced vulnerability discovery. The premise being that there are tens-of-thousands of software engineers, security researchers, and hackers online that have the necessary skills, time, and motivation to probe and investigate an online system or asset and—if appropriately incentivized—report their findings back to the bug bounty program owner.
One perspective on the likelihood of a bug bounty program identifying meaningful security flaws and exploitable bugs for a company is to examine the kind of researcher that may participate in the campaign:
Organizations that offer bug bounty programs typically prefer the attention of the last three categories of bug contributor. Since a financial reward is often a key element for these workforces, any offered bounties need to be both competitive and likely to yield findings.
Paying the most for bugs does not necessarily mean attracting the best bug hunters. Any experienced security researcher will know that the probability of finding new bugs is likely higher in a company or web site that has not previously participated in a bug bounty program—so they may “skip” the harder (highest paying) sites for other softer targets that will net more financially or facilitate leaderboard advancement.
Depth of bug pursuit
Understanding the differences between bug bounty rewards and the probability of a bug hunter reaping rewards is an important ingredient in tuning a bounty program and enticing the necessary hunting expertise.
Organizations should also consider the technical depth underpinning bug discovery and the effort being expended to enumerate those bugs. Having a large pool of “many eyes” hacking away at an online site or product does not confer depth or breadth of security coverage.
The vast majority of bug bounty participants will initially use automated vulnerability scanners—and many will not undertake investigations far removed from the capabilities of good commercial vulnerability scanning products. As such, it is highly recommended that any organization contemplating launching a bug bounty program regularly scan their assets with multiple vulnerability scanners prior to (and during) a bug bounty program. The use of such scanning technology will typically uncover 95-99% of all the vulnerabilities most bug hunters are likely to discover when they use their own customized tools.
It is important that all known vulnerabilities deemed to be “acceptable risk” differences to commonly promoted best security practices are documented in advance and noted for exclusion from the bug bounty program. For example, it may be acceptable that the application serves a robots.txt file that disallows web crawlers from indexing an administrative directory. Every bug hunter using a vulnerability scanner will identify the existence of the file and likely file a security bug related to the enumeration of the admin directory—with some hunters then demanding a bounty on it. Do you want to handle the response a hundred submissions of this single “bug”?
In Part 3 we’ll look at the crystal ball. Managed vulnerability scanning and regular penetration testing form the basis of vulnerability management and certification today. Can bug bounty programs and platform providers close the gap on vulnerability management and usurp the commercial penetration testing market, or is this all just a flash in the pan?
Sponsored byVerisign
Sponsored byRadix
Sponsored byCSC
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byIPv4.Global