What Are Bug Bounty Programs?
Simply put, a bug bounty program invites white-hat hackers to find and report vulnerabilities in a system or application in return for financial rewards. Though initially limited to a handful of high-profile tech companies such as Google or Facebook, bug bounty programs have now become commonplace and are still gaining popularity, even in more conservative industries. Part of the reason is the emergence of organized bug bounty platforms, such as HackerOne or Bugcrowd. These provide marketplaces that make it much easier to announce a bug bounty, attract testers, and manage the submission, acceptance, and payment process.
While responsible disclosure has always been the foundation of ethical hacking, actually getting paid for reporting vulnerabilities is a relatively new thing. Bug bounty programs aim to formalize this by giving security researchers a financial incentive to test specific systems and applications while protecting them from legal action. Although having a bug bounty program is a way of showing that organizations are serious and open about security, it can also be a way to bypass responsible disclosure obligations by enforcing non-disclosure agreements (NDAs) as a condition of payout.
The Benefits of Inviting Bounty Hunters
Many companies wrongly treat bug bounty programs as a cheaper and more convenient alternative to penetration testing. While there are vital differences between the two, it’s true that both approaches let you get a third party to test your outward security and report vulnerabilities. Compared to penetration testers, bounty hunters are paid per reported bug, not per hour, which works out cheaper – at least in theory. Unlike penetration testing, bug bounty programs are also easily and cheaply scalable without upfront costs.
But the biggest appeal of crowdsourcing your security testing to white-hat hackers is, again in theory, having your security tested by multiple experts with a variety of experience, tools, and skills that is beyond the reach of a penetration tester or an internal security team. With such varied skillsets and approaches, bounty hunters can find and report all sorts of issues, from basic to very advanced, regardless of technology and architecture. Considering that ethical hackers use very similar tools and methods to malicious attackers, bug bounty programs can give you a fair idea of your exposure to real-life attacks.
Problems That Bug Bounty Programs Won’t Solve
Considering all these benefits and some aggressive marketing by bug bounty platforms, it’s not surprising that so many organizations are adding bug bounties to their security testing program. However, to get the most out of crowdsourced application security testing, you need to know its limitations and understand its place in your wider application security program.
The ultimate purpose of application security testing is to get complete coverage and a full picture of your security posture so you can close all gaps. The only way to achieve this is through systematic testing – and bug bounties are not the best tool for this job. Bounty hunters focus on (and are paid for) finding and reporting exploitable bugs, not testing every part of an application. In fact, you have no way of knowing if or when they will pick up your bounty offer. In contrast, penetration testers systematically check every corner of the application (or everything that is in scope for a particular test) and report not only exploitable bugs but also other security issues.
Though more comprehensive than bounty hunting, penetration testing is slow and doesn’t scale easily, so automated vulnerability scanning tools are a practical necessity to ensure sufficient coverage. For maximum effectiveness, you should start with high-quality automatic testing, complement that with periodic penetration tests, and then set up an ongoing bug bounty program as a final layer of protection.
Do Your Homework Before You Call the Hunters
Enlisting the help of white-hat hackers to test your application security has never been easier, but for maximum value, you should lay the groundwork before you call in the cavalry. After all, bug bounties are paid out per issue, so each vulnerability that you can find and fix internally is one payout less. Even more importantly, if bounty hunters are reporting simple bugs that you could easily find yourself with a good scanner, you are not making the best use of their skills.
Having lots of simple bugs can also mean a deluge of reports from multiple bounty hunters going after easy money. Even though only the first accepted report for each vulnerability will get a payout, you still need to sift through all the submissions, which your security team might not be prepared for. (As an aside, penetration testers and bounty hunters routinely use automated scanners to test their clients’ systems, so in these cases, you are quite literally paying them for clicking a button that you could easily click yourself to find the very same vulnerabilities.)
As we have written before on this blog, a modern dynamic application security testing (DAST) solution like Invicti should be part of every AppSec toolkit. Good DAST can provide maximum test coverage and identify many common vulnerabilities to pick off the low-hanging fruit (and often some more advanced issues) before you bring in the human experts. It is fast, easy to deploy, and ready to scan and rescan as often as you need. Having a routine vulnerability scanning and remediation workflow also helps to avoid quick-and-dirty fixes for one-off bug reports that could be bypassed to yield another costly bug.
How Invicti Can Maximize the Value of Bug Bounty Programs
To help you prepare for third-party testing, Invicti provides an industry-leading DAST solution that uses proprietary Proof-based Scanning™ technology to automatically confirm many vulnerabilities by safely exploiting them. Each vulnerability report includes detailed information about the identified issue, allowing developers to quickly find the bug, understand the root cause, and permanently eliminate the vulnerability so it doesn’t resurface in the future.
The Invicti philosophy is to automate everything that can be automated so your experts can focus on tasks that really need their skills and intuition. The same approach also applies to working with bug bounty programs: find everything you can using an automated tool, fix those issues, and only then open up your application to external testing. That way, you can save on payouts for less advanced vulnerabilities and get bounty hunters to focus on more complex attacks that only a human can prepare and execute.
Once you are sure that you’re doing all you can using your internal tools and resources, you can then get maximum value from your bug bounty program – and Invicti can help you get there.