Should Your Company Hire Bug Bounty-Hunters?

From Apple to the Department of Defense, organizations are turning to "good" hackers to find vulnerabilities. Here are some things to consider before you do, too.

Bug Bounty Hunter

Both federal and state governments have been tightening cybersecurity regulations. And it’s clear that they are no longer waiting for breaches to dispatch fines to companies. The idea of perceived risk is now grounds for violation.

The most common guidelines include mapping out a clear security-team hierarchy and usually some vague wording about deploying a cybersecurity solution. Analytics products using machine learning are growing popular. This is because any security with thresholds provide only limited visibility, while SIEMs dispatch way too many false alarms and buckle under big data—which is where most business is headed.

At this point we’ve learned the tough-love truth that hackers cannot be prevented, they just have to be stopped. Quickly. With that in mind, organizations such as Google, Tesla, Western Union, and even the Department of Defense have hunkered-down on risk management by implementing bug-bounty programs. These crowd-sourcing programs entice hackers and other tech-savvy individuals to find vulnerabilities in a company’s network in exchange for cash and other perks. (Apple, for instance, has offered up to $200,000 for spotting holes in its system.)

A year ago, the bug-bounty “agency” HackerOne claimed it helped discover 21,000 verified vulnerabilities since it went into business in 2012.

Graph courtesy of | Click for larger view

Bug-bounty programs span several industries and, according to Law360 (the legal news and analysis site), is becoming a new norm. “According to a recent report, the number of companies with such programs has more than tripled year over year since 2013, with significant gains seen in the financial services, automotive, healthcare, and retail sectors,” writes Kim Peretti, an attorney who’s also a co-chair of the cybersecurity team at her firm, Alston & Bird.

She also warns that, “One side effect of the rise in bug-bounty programs…is a commensurate increase in publicly known security vulnerabilities that can, in turn, lead to increased scrutiny from regulators (and the plaintiffs bar), who become aware of the previously undisclosed vulnerabilities through these methods.” Peretti cites public discovery of the Android’s “Stagefright” bugs, which triggered FTC investigations. This has prompted companies to include stern non-disclosures in their contracts with bug-hunters, who as a culture, aren’t exactly shy about their conquests.

Graph courtesy of | Click for larger view

Pluralsight, a technology-learning platform, suggests the following best practices before considering a bug-bounty program:

Have a Bug-Fixing Process in Place Be prepared to react to what your hunter finds
Appoint a Bug-Bounty Advocate The program only works with an in-enterprise manager, who is attentive to the program and liaises with your SecOps and executive teams
Conduct a Bug Audit A bounty program is not a crutch; make sure you’ve eliminated all possible vulnerabilities
Check With Legal Verify that your program is compliant to laws, and that language in your agreement (such as details about privacy and pricing) protects overall business objectives

Graph courtesy of | Click for larger view

As larger companies implement these programs, it’s essential they remind themselves that a bug-bounty program cannot replace shoddy cybersecurity. The latter is your most important risk-management investment, but with budget permitting, a bug-bounty hunter can be a valuable supplement to it.

The graphs in this story were taken from Bugcrowd’s 2016 report, “The State of Bug Bounty