You may never have heard of bug bounty programs…
Switzerland, the land of continual referendums and local elections, is testing an electronic voting system developed by Swiss Post and has invited hackers from all over the world to carry out a public intrusion test on it between February 25 and March 24, with prizes up to 50,000 Swiss francs for serious vulnerabilities found.
Bug bounty programs, aimed at finding errors in applications, are an increasingly important part of organizations’ security and although paying people to troubleshoot their computer systems may not be a silver bullet, they matter in terms of both effectiveness and reputation. Many commentators have blamed Apple’s slow response to its FaceTime security problem to operational issues on its own bug bounty program, established three years ago, which prevented the youngster who discovered the vulnerability from reporting it properly.
When considering setting up a bug bounty program, it’s important to benefit from others’ experience: specialist companies such as HackerOne or Bugcrowd have been coordinating such programs for a few years and have been able to attract investment, which can make them interesting partners if your organization lacks the right skills. In general, despite the media coverage of well-known and reputed companies and institutions that set them up and offer big money to hackers who identify problems, the reality is that a few professionals tend to monopolize the majority of prizes, while a larger base shares smaller compensation. Stories about hackers who make a living from bug bounty programs are just that: the reality is that most make little money and very irregularly.
That said, bug bounty programs are a very efficient way to test the security and the applications of a company, and while they are not for everyone, they certainly help change how we think about corporate security: detecting and reporting a security problem does not make you a criminal or a blackmailer, and in fact, hacker ethics are against such practices.
Many of the security problems organizations of all kinds experience are often because hackers are unable to report vulnerabilities they find or receive any recompense for doing so: companies either ignore them, and sometimes even pass the matter on to the police. Allocating a budget to pay for bug bounties and mentioning them on the corporate website is nothing to be embarrassed about, and far from suggesting a disregard for our security professionals, it may well help avoid serious problems down the road.
