Bug Bounty Programs Help Companies Track Vulnerabilities

Companies release new software and products to corporate users and consumers, hoping final product releases are stable and free of bugs.

But it's much easier said than done to release a secure and polished product. While companies try to work diligently to prevent vulnerabilities, they can only be partly successful with sometimes limited organizational capability by their respective internal teams.

That's where bug bounty programs come in.

During a recent Open Web Application Security Project (OWASP) conference, a hosted bug bounty contest found more than 80 vulnerabilities for the companies that participated. These types of contests and hosted programs are becoming more popular, taking place at other major computer and technology conferences across the United States.

Once discovered by third-party coders, companies move rapidly to analyze reports and fix legitimate vulnerabilities before they can be exploited.

Go for the Glory

“Bug bounty programs have been surprisingly effective for organizations that want to get some additional security feedback,” said Jeff Williams, chief technology officer of Contrast Security. “Some of these pay rewards, but most of them are simply to get listed on the ‘Hall of Fame.’ Everyone I’ve talked to about these programs says that it’s not the money that drives people to participate. It’s about the glory.”

Bug bounty programs are becoming more popular at major companies, who invite programmers, coders and those with technical knowledge to help them identify potential risks.

More than 220 companies have established programs with Bugcrowd. The majority of companies rely on Hall of Fame entries and free swag in exchange for discovering bugs, though a growing number are offering cash-based incentives.

However, it takes time and resources to track down all submitted leads — and not all reported bugs are major security vulnerabilities — while attacks tend to begin rapidly once a company begins a campaign. Even with that risk, companies will continue to fine-tune their bug bounty hunts and engage the coding community in the future.

Reaping Benefits

Since launching its bug bounty program in 2010, Google has paid out more than $4 million, with 200 researchers collecting a collective $1.5 million for tracking down 500 bugs in the past 12 months. The search giant plans to provide up to $3,133.70 per successful vulnerability found by bug bounty hunters.

GitHub received 1,920 security vulnerability submissions in the past year and 869 of them required additional review. A total of 57 previously unknown vulnerabilities were fixed due to higher traction from outside sources.

Williams and other experts highly recommend companies embrace some type of bug bounty program, whether it’s a paid initiative or other perks are offered, to help provide a more balanced approach to application security.

Cybercrime is an evolving issue with an alarming number of hacktivists and organized criminals launching cyberattacks. Exploiting security vulnerabilities and software bugs proves to be an effective strategy that will remain an appealing target in 2015.

Title image from the Warner Brothers movie, Them.