Bug bounties have become mainstream and rightfully so. They offer a method to access and harness the intelligence of varied set of expert hackers and security researchers without having to incur the cost of hiring an army of security professionals. The main advantage though is that one can keep a step ahead of the malicious hackers. This article talks about how to setup a bug bounty program and some of the pitfalls to watch out for.
When to do a Bug Bounty ?
One obvious question that would arise is is the necessity of bug bounty over penetration tests. The answer is bug bounties tend to be result oriented as opposed to penetration test which tends be a service and has no guarantee of bug detection. Penetration testing also focusses on compliance and tends be one time affair.
Ideally it is better to have an ongoing bug bounty. The arguments for bug bounty are many and are quite justifiable. Main advantages are,
- Cost : It is better than hiring full time security researchers as it is result oriented.
- Talent : Access to wide pool of talent spread across the globe.
- PR : Containment of bad publicity and hacks due to unauthorised disclosures.
However there are many important considerations which may negate the positives if not implemented and executed properly. Couple of things to be concerned about are,
- Malicious hacks : It is very hard to differentiate and detect if there is a malicious hack underway as there is no way to differentiate.
- Scope : Sometimes the scope creep may lead to unintended disclosures.
- PR and reward management : The security researchers may go for public disclosure if they are unhappy with the reward or there are disputes.
So it is important to understand and plan for the human resources need, budgetary caps and technical depth before launching one.
Platforms and Frameworks
At the simplest it is just a webpage with guidelines, scope and reporting format and contact. One example is at PayTm bug bounty.
Usually these suffer from discoverability of the program and may not get as many results. Also the process management of analysing, paying etc can be a problem.
There are many organised bug bounty platforms which streamline this process. The most popular ones are bugcrowd and hackerone. These platforms run multiple bug bounties and manage communities of hackers and security researchers. They also manage the protocols of disclosure and rewards.
Private and Public Programs
Public programs can attract large number of security researchers and often can lead to increased load on the servers and the person(security professional) who manages the bug bounty program. This may lead to
- Disruption in services.
- Difficulty in distinguishing between testers(ethical hackers, bounty hunters) and malicious hackers.
- Lowered response times to disclosures, leading to disgruntled, demotivated researchers.
- Reward mismanagement due to lowered response times leading to bad reputation among hackers.
Private programs offer the benefit of the platforms while controlling the negatives. In a private programs an organisation chooses to invite specific hackers on the platform. The choice can be left to the platform as well to invite the top 10 most active hackers or any other suitable parameters. One good example of private bug bounty is here Example of Private Bug Bounty.
It is easy to get carried away by the results of bug bounty programs. Industry claims imply a huge success rate. However, bug bounty programs are not a replacement for processes and the good secure development life cycles. Bug bounties should be viewed as additional layer of security practice than a catch all security solution.