During the last few years many companies have been interested in bug bounty programs and how these programs can benefit the company’s information security. A successful bug bounty program calls for processes with high quality standards throughout the program’s life cycle. Based on our experience, companies aren’t always aware of the challenges created by the program, thus, the program isn’t fully meeting its’ potential to reveal vulnerabilities.
So, what is needed to create a successful bug bounty program and how much will it cost?
What is a bug bounty programme?
Bug bounty programs are programs, which companies and organizations use to in order to get hackers to search and report vulnerabilities and bugs. The hackers in turn are rewarded from the found vulnerabilities, and the bounties can be very high, depending on how severe the found vulnerability is. This allows companies to know about potential information security problems as well as use a wider group of hackers to detect the vulnerabilities, while also allowing companies to fix the vulnerabilities. The programs are often run in platforms designed especially for bug bounty programs. The platforms enable a safe way to run the programs, both for the companies and for hackers. Examples of these platforms in the Finnish markets are HackerOne and Hackr.fi.
To start the programme, the organizer i.e. a company or an organization, creates the rules for the program. The rules define the services that are in the program’s scope and how the services are allowed to be tested. The organizer also defines the amount of bounties paid to the hackers as well as whether the program is public or private. In a public program anyone can participate in the program, in private one specific hackers are invited to participate.
Successful program requires processes
A successful bug bounty programme needs a thorough preparation. It’s not enough that the organizing entity registers to the platform and publishes the program. How will the organizer handle the incoming reports? How the bugs and vulnerabilities reported are reacted to and fixed? Has the scope been defined? Who will communicate with the hackers, analyse the criticality of the findings and decide on the amount of bounties? There are many questions which need to be answered before the program can be published.
Before publishing the bug bounty program, the organizer should secure a sufficient level of information security in the services included in the scope. The services should be tested beforehand and known vulnerabilities should be fixed because otherwise the program and its’ costs will become impossible to handle. The organization will also drown on the vulnerabilities reported by the hackers, making the analysis of vulnerabilities an impossible task. Thus, the organizer’s first task is to secure the maturity level of the services in terms of information security and know the security level of the services included in the scope.
When an organization decides to start a bug bounty program, it should always plan proper processes. For example, these questions should be answered before starting the program:
- Has the scope been determined and secured?
- Has the rules been created?
- Will the program be public or private?
- How much will the bounties be?
- Who follows the reports from hackers and communicates with hackers?
- Does the organization have skills and resources to analyse the reported vulnerabilities? Who in the organization does this?
- Who evaluates the criticality of the reports? What criteria is used?
- How will the organization’s software developers be communicated to about the vulnerabilities?
- How will the organization confirm that reported vulnerabilities will be fixed?
It is essential that these questions have been answered before the launch of the bug bounty program, since otherwise the program doesn’t benefit the organizing company. Before publishing, the organizers need to also confirm that the business goals of the service aren’t threatened during the program, and for example there won’t be service lacks in the chosen service.
Is a bug bounty program a shortcut to happiness?
In order to get the best hackers to participate, the program needs to be interesting enough from a hacker’s perspective. This requires competitive bounties and a broad scope, which in turn inevitably increases the costs of the program. It’s also worthwhile to note that there is a limited number of top hackers available for the program and the majority of hackers are using automated tools in order to get easy bounties. Communicating with these parties can take surprisingly a lot of time, even though they often don’t bring in considerable amount of value for the company.
The most important goal of the program is to increase the information security of the services chosen for the scope, but we’ve noticed that our customers have challenges in fixing the reported vulnerabilities. Thus, often the most important goal unfortunately isn’t achieved. If this happens, the money and resources spent on the programme has been wasted.
One of the biggest challenges of bug bounty programs is the difficulty to predict costs. It’s good to remember, that costs aren’t just limited to the bounties paid to the hackers as the software developer also charges on the fixes, and using own resources also costs. A good rule of thumb is to multiply the bounties with two to get a rough estimation of the costs. If for example paid bounties would be 20 000€ a year, the rough estimation of real costs of the program would be 40 000€. Thus, we can conclude that bug bounties don’t offer shortcuts in finding vulnerabilities, but the program can reveal vulnerabilities, which wouldn’t have been found in normal information security audit.
And the benefits?
Even though bug bounty program usually needs financial and other resources from the organizer, a well-organized program can bring in lots of benefits for the company. The program can reveal vulnerabilities, which otherwise wouldn’t have been noticed in normal security audit since an individual hacker can spend a significant amount of time to find a single vulnerability. A thorough search like this for a single vulnerability isn’t usually possible in a normal security audit due to schedule restrains.
Companies which have services where an audit made once a year isn’t enough to confirm a sufficient level of security also benefit from bug bounty programs. For example, if a company has services or applications where updates or new releases are made daily, an audit made yearly is soon outdated. Thus, bug bounty program enables the company to test the service 365 days a year and pay only for found vulnerabilities.
Other benefits for companies can be the added value created by the good publicity of the program and increased brand value. A well-organized program can also create value in terms of employer branding and help recruiting new employees, especially hackers. Thus, it can be concluded that the benefits of the program aren’t limited to the increased information security, but they also increase brand value.
Information security audit or bug bounty?
Traditional information security audit and bug bounty programme shouldn’t be thought of excluding each other. In case only either one is an option for a company, then a security audit gives a better view on the situation as a whole and the testing process is carried out by professional information security auditor. These aspects can’t be guaranteed in a bug bounty program.
If the organizer has enough resources and maturity, then bug bounty programme brings more depth to the traditional security audits. Regular security testing is however needed in order to confirm the basic level of information security, which also allows the organization to estimate the costs better. If only bug bounty programme without traditional audit is being used, then the organization takes major risks in unpredictable costs of testing. In this case, there is no comprehension in the security level of the services or possible vulnerabilities. Thus, the hackers may find several easy vulnerabilities, and in turn, these vulnerabilities need to be compensated with bounties.
How will we bring value to your bug bounty program?
2NS helps customers in starting bug bounty programs as well as running the program. We help our customers to ensure that needed processes have been established before the start of bug bounty program. We also offer help in analysing the found vulnerabilities, securing the fixes and communicating with the hackers.