Why Bug Bounty Programs Are Going Mainstream

In contemporary culture, hackers have a conflicted and complicated status. The news is filled with stories of Russian hackers corrupting our media and democratic processes, and your garden-variety hackers—those not sponsored by government regimes or motivated to spread anarchy—are portrayed as shady characters living in the basement.

These perceptions have hindered the acceptance of bug bounty programs to help improve enterprise cybersecurity. Many companies have been wary of or slow to adopt bounty programs to identify weaknesses and potential threats to their cybersecurity. This is at least partially attributable to preconceptions, stoked by the media, that anyone with hacker skills must also have nefarious intentions. But perceptions are changing.

Being a hacker is not illegal. Using specialized skills to perform illegal activities is what makes a hacker a criminal.

The truth is we need as many security specialists on our side as possible, and we can’t afford to hire them all full time. Because this problem can be remedied by the gig economy, bug bounty programs are primed to take off and become a common enterprise security measure. Two decades ago, it was controversial to use such programs. Now it’s clear that they’re essential to navigating today’s threats—it’s risky not to use them.

The logic behind bug bounty programs

The idea is common to any defense approach and begins with the assumption that you’re not safe and, therefore, you must know your weaknesses. No company or governmental entity is immune to cyberthreats, and to assume otherwise is negligent. And no product or suite of products can guarantee 100 percent protection. So, the only logical reaction is to prepare yourself for attacks. Such preparation should include prevention and detection, as well as response capabilities to limit attacks once they’ve gotten into your system and to ensure a speedy recovery.

Bug bounty programs help with all of this. The programs operate as crowdsourcing challenges to hackers. Companies put out potential rewards for anyone who can identify previously unspotted vulnerabilities in their cyber infrastructure, and the one who uncovers bugs fastest receives the reward.

Bug bounty programs illustrate the impact of having outside experts examine your systems to overcome internal inertia or operational blindness so that threats are both prevented and minimized.

Bug bounty programs can’t directly replace traditional pen testing. There will always be apps and infrastructure that cannot leverage them for a variety of reasons, but bug bounty programs can supplement traditional pen testing and make it far more cost-effective.

What follows are the four main reasons why bug bounty programs are set to go mainstream.

Reason 1: Top vendors are using bug bounty programs

Many companies, from Microsoft to Intel to Google, have vulnerability reward programs that pay bounties to anyone who finds security flaws in their portfolio of offerings. There are also companies that focus exclusively on fostering and operationalizing such programs, such as HackerOne and Bugcrowd. Therefore, the range of options companies can choose from has never been wider.

Granted, bug bounty programs are not silver bullets, and there’s no guarantee that they find or prevent every threat. But they now have such wide vendor acceptance that they’ll soon become a part of every enterprise’s approach to cybersecurity.

Reason 2: The programs help with marketing

If you follow the news at all, it’s easy to recognize the impact a cybersecurity breach can have on a company’s reputation. But what breaches like Equifax have demonstrated is that it’s not whether a company’s data is breached, but rather how well that company responds to an attack.

Bug bounty programs in effect help companies with damage control. They provide a marketing angle in that they show consumers and those affected by the attack, as well as the public at large, that a business is taking cybersecurity seriously and doing its best to counteract attacks. Thus, not only are companies getting protection and help to prevent attacks, but when their systems are inevitably penetrated, they have a better idea of how it happened and can show the public that they’re fighting back as best they can.

Reason 3: Competition is everything

Cybersecurity preparedness is highly relative. No business has unlimited resources to spend on cybersecurity; therefore, it’s essential to ensure you at least have as much as, if not more than, your competitors. Otherwise, you become the low-hanging fruit for attacks. As companies realize that their competitors are adding these initiatives to their cybersecurity portfolios, the use of bug bounty programs is bound to expand. Pressure from corporate boards, peers, and competitors will also ensure an increase in bug bounty programs because companies won’t be able to risk being the only one within their industry not using the method.

Reason 4: You can’t hire everyone

Earlier, I alluded to the fact that you need more security specialists than you can hire. Bug bounty programs attract specialists with all types of skills. Some will specialize in SQL injection, others look for problems with scripting, and still others are experts at breaking authentication mechanisms. The point is that a bug bounty program brings you far more skills than a traditional pen testing team can offer. And you pay bounties only on valid bugs, so it’s highly efficient.

This efficiency is critical because companies have to be especially strategic in how they allocate their cybersecurity spend. Bug bounty programs are a great way to enlist outside resources at a fixed price to help improve cybersecurity. Because bounties are awarded only when high-value vulnerabilities are found, bug bounty programs ensure that companies are stretching their cybersecurity dollars as far as they can go.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

Bil Harmer is Zscaler CISO for the Americas