Skip to content
Search

Latest Stories

Welcome! Log in to stay connected and make the most of your experience.

Input clean

The Effectiveness of Bug Bounty Programs

As hackers continue to grow more sophisticated, many firms are struggling to find ways to ensure that their systems are secure. In support of that goal, some have found a measure of success with bug bounty programs, which allow firms to crowdsource the identification of vulnerabilities. The Cipher Brief asked Mike Taylor, the lead software developer at Rook Security, about the effectiveness of these programs. According to him, the most important factor is that the program be run well and that rewards scale to match the severity of discovered vulnerabilities.

The Cipher Brief: Some of our readers may be unfamiliar with bug bounty programs, could you briefly describe what they are and what benefit they are intended to provide?


Mike Taylor: Bug bounty programs incentivize the reporting of errors, security vulnerabilities, and bugs to a software development company. These programs can be made available to the general public or enacted on an internal basis that is reserved for a company's staff. Many programs will scale the bounty payout in relationship to the severity of the reported bug.  

TCB: How effective are bug bounty programs in general? Are there any differences in effectiveness based on business sector, and if so, what industries have benefited from them the most?

MT: The effectiveness of a bug bounty program has more to do with the maturity of the software development company than with the industry they are in. An externally facing bounty program needs to have a sufficiently mature internal set of controls to manage the influx of reports. Controls include the management of communications between the submitter and the development teams, identifying duplicate submissions, and balancing efforts to address the reports. Companies whose core competencies are in the software development field often have a more mature process on which they can build a successful bounty program.

TCB: Are there any downsides to using a bug bounty program? If so, what are they, and how can they mitigated?

MT: The dangers of a bug bounty program typically lie in the perception of a company after beginning it. Negative outcomes can come from both internal and external bounty programs. Companies can begin an internal program that does not follow through with appropriate incentives, time allocation, or stakeholder buy-in. Such actions can be turn-offs to developers who then perceive participation as an inefficient use of their time. Public facing programs run the risk of a submitter feeling that their reward was insufficient and then publishing the bug or vulnerability in a public forum before it can be fixed.

TCB: Do you have any advice for a business that is thinking about setting up a bug bounty program? What should such a business consider before starting this type of program?

MT: These issues can be addressed through proper planning. The program needs to have buy-in from multiple different departments to be executed effectively. The organization as a whole needs to be in alignment with the goals and desired outcomes of the bounty program. Limiting the scope of the bounty program to a subset of the products that the company develops can help the organization improve the process. Once the internal processes for handling the bug bounties have been implemented, the organization can determine if expanding the program aligns with their objectives.  

Related Articles

China Wants Our Hearts. Literally.

OPINION — China is pre-positioning itself on U.S. networks for disruptive and destructive attacks against our critical infrastructure. In the past [...] More

Chinese Industrial Espionage: What Happens in the Netherlands Doesn’t Stay in the Netherlands

OPINION — China is conducting intelligence operations in the Netherlands that are targeting key industrial sectors including semiconductors, [...] More

China’s ‘Leap Forward’ in Drone Weapons

China’s ‘Leap Forward’ in Drone Weapons

DEEP DIVE – China’s military is in the midst of an innovation and manufacturing boom in drone weaponry — a “leap forward,” as one expert put it, that [...] More

The Trump AI Deals in the Gulf: Measuring the Value Against the Security Concerns

The Trump AI Deals in the Gulf: Measuring the Value Against the Security Concerns

EXPERT INTERVIEWS – When the White House announced multibillion-dollar artificial intelligence deals with the UAE and Saudi Arabia earlier this [...] More

Ukraine is a Crucible of Innovation, Not a Perfect Blueprint

EXPERT PERSPECTIVE – Ukrainian technology expositions are abuzz with enterprise and excitement. I have watched unmanned systems glide through [...] More

Counter-AI May be the Most Important AI Battlefront

EXPERT PERSPECTIVE — Artificial intelligence (AI) has truly captivated the American imagination, with increasing attention focused on the latest AI [...] More