There’s been some negativity towards bug bounty lately. Not only do I think it’s ill-placed, I believe bug bounty is the future of security. Here’s why:
-
Bug bounty is continual instead of point-in-time. A penetration test or vulnerability assessment can check your defenses at a single point in time. The pentest ends and—two days later—a developer accidentally exposes your customer database to the internet. You won’t know about it til your next assessment. A quality bug bounty program continually tests your defenses.
-
Bug bounty crowdsources expertise. A pentest or vulnerability assessment validates a company’s defenses with a small number of testers (most often one to three people). A bug bounty program assesses the security by dozens or hundreds of hackers with varied skillsets and expertise. Anyone in security will tell you that it’s impossible to be an expert in everything. The lead web app tester at my previous job had never heard of template injection. Do I blame him? No. The industry is vast. But if I owned a company, I’d want an army of hackers with varied expertise helping me.
-
Bug bounty encourages moral action. Without it, a person who finds a vulnerability has more incentive to use it to make money, sell it to a third party (a nation state, zero-day dealer, the black market), or ignore it. Not all companies respond well to disclosure. This point is partially covered by a VDP. But there still might be a greater incentive to sell a bug to a third party rather than disclose responsilbity if there is not bounty associated with disclosure.
-
Due to the option of a “short-term” bug bounty assessment through the platforms, there’s no financial risk in bug bounty. You can set a budget, and the program is paused when you hit your limit.
-
You’re not paying for something you don’t get. For example, if you’re a company with a lot of security maturity, and there’s no findings on a pentest, you still paid their fee. For bug bounty, if there’s no findings, you only pay the small retainer to the platform.
-
To build on the previous point, there is a real incentive for the white hat hackers to find vulnerabilities. In a pentest, there’s not as large of an incentive. The fee will get paid regardless of what is found in the assessment. This doesn’t discount their ability. But there’s proof that an incentive will result in more output.
-
It’s a healthy alternative to black hat hacking. There are many stories of hackers who have been previously convicted of hacking-related crimes that have turned to bug bounty as an alternative. They are literally turning their crimes into a fruitful career and helping secure the internet. The best example is my friend @dawgyg.
-
Bug bounty is an amazing opportunity for technically skilled people in countries with lower-than-average annual income to better provide for their family, friends, and community. Most bounties are well-paying for US/EU citizens. A few medium bugs can be the equivalent of an annual salary in other countries. This is a great opportunity to funnel money into those areas of the world.
-
It’s an amazing way to learn on real world assets. I view it as a win-win-win for hackers. We get to be paid to learn while hacking on real-world assets and helping secure the internet for our friends, family, and society at large.
I don’t see a world where bug bounty can fail. It is the ideal solution to a very hard problem. I want the world to know how awesome bug bounty is. If you agree, I’d love it if you shared this article to help it continue to grow. If you’re a company, you should reach out to HackerOne or Bugcrowd. If you’re a hacker (or want to be one), you should sign up to get started with bug bounty.
If you have any questions, feel free to tweet me :) https://twitter.com/rez0__
rez0