Bug Bounties and Crowd Sourcing Security

Bug Bounties. Maybe you’ve heard of them, maybe you haven’t. If you haven’t don’t worry — this post will explain everything. At yesterday’s #IDGTECHtalk Twitter chat we discussed the role bug bounties can play in securing the enterprise. We heard from CSOs and security experts who have dappled in bug bounty hunting themselves.
Here’s what we learned:
But first, what in the world is a bug bounty??
Bug bounties are essentially crowd sourced security protection. Bug bounty hunters are white-hat hackers who are paid a fee for discovering security threats in a system.
Bug Bounties seem to be reserved for larger corporations
When we asked if our experts were currently using bug bounties, the majority of them answered no. We later learned that bug bounties require a lot of time and money, so smaller organizations might not use them as frequently. However, organization like Google or Facebook who have the resources to manage the white hackers and pay them handsomely might utilize a bug bounty program more readily.
Trust is an issue
Another huge point that was raised is whether or not bug bounty hunters can be trusted. How do we know if these hackers are really white hat? It is very easy for someone to discover a bug in your system and use that knowledge against you to get more money. That is why organizations need very clear language, formal contracts and NDA’s in place before any bug bounty program can begin.
Some experts propose flat fees
Some of our experts proposed a flat fee payment strategy for reported vulnerabilities. This could help lessen the occurrence of extortion and level the playing field for hackers a bit.
Bug Bounties involve a lot of risk, but they can also be really beneficial
Crowd sourcing your security vulnerabilities can be a really great way for organizations to discover any vulnerability in their organization, apps, or products, but the cost and risk will always be there. So that has to be taken into consideration.
Big thanks for everyone who attended this enlightening chat. And huge thank you to George Gerchow for leading the discussion. If you are interested in joining an #IDGTECHtalk they occur every Thursday at 12pm ET on Twitter. Please join us!

