As hackers continue to grow more sophisticated, many firms are struggling to find ways to ensure that their systems are secure. In support of that goal, some have found a measure of success with bug bounty programs, which allow firms to crowdsource the identification of vulnerabilities. The Cipher Brief asked Mike Taylor, the lead software developer at Rook Security, about the effectiveness of these programs. According to him, the most important factor is that the program be run well and that rewards scale to match the severity of discovered vulnerabilities.
The Cipher Brief: Some of our readers may be unfamiliar with bug bounty programs, could you briefly describe what they are and what benefit they are intended to provide?
Mike Taylor: Bug bounty programs incentivize the reporting of errors, security vulnerabilities, and bugs to a software development company. These programs can be made available to the general public or enacted on an internal basis that is reserved for a company's staff. Many programs will scale the bounty payout in relationship to the severity of the reported bug.
TCB: How effective are bug bounty programs in general? Are there any differences in effectiveness based on business sector, and if so, what industries have benefited from them the most?
MT: The effectiveness of a bug bounty program has more to do with the maturity of the software development company than with the industry they are in. An externally facing bounty program needs to have a sufficiently mature internal set of controls to manage the influx of reports. Controls include the management of communications between the submitter and the development teams, identifying duplicate submissions, and balancing efforts to address the reports. Companies whose core competencies are in the software development field often have a more mature process on which they can build a successful bounty program.
TCB: Are there any downsides to using a bug bounty program? If so, what are they, and how can they mitigated?
MT: The dangers of a bug bounty program typically lie in the perception of a company after beginning it. Negative outcomes can come from both internal and external bounty programs. Companies can begin an internal program that does not follow through with appropriate incentives, time allocation, or stakeholder buy-in. Such actions can be turn-offs to developers who then perceive participation as an inefficient use of their time. Public facing programs run the risk of a submitter feeling that their reward was insufficient and then publishing the bug or vulnerability in a public forum before it can be fixed.
TCB: Do you have any advice for a business that is thinking about setting up a bug bounty program? What should such a business consider before starting this type of program?
MT: These issues can be addressed through proper planning. The program needs to have buy-in from multiple different departments to be executed effectively. The organization as a whole needs to be in alignment with the goals and desired outcomes of the bounty program. Limiting the scope of the bounty program to a subset of the products that the company develops can help the organization improve the process. Once the internal processes for handling the bug bounties have been implemented, the organization can determine if expanding the program aligns with their objectives.
