Bug bounties: The benefits of friendly fire

By asking well-intentioned hackers to test for security vulnerabilities, organisations can strengthen their hand against the bad guys.

By Jo Best

Wed 25 Jul 2018 @ 11:35

As long as there’s been software, bad guys have been trying to find holes in it. The difference today is that there are good guys trying to do exactly the same thing.

Bug bounty schemes see companies pay ethical hackers to find the vulnerabilities in their software in return for payment. This means businesses can fix flaws before they can be exploited in the wild.

The first bug bounty scheme was set up by Netscape in the nineties, when an enterprising engineer came up with the novel idea of asking members of the public to find vulnerabilities in the beta of its Navigator 2.0 browser. Merchandise and cash were offered to anyone who could find a flaw. In the intervening 20 years, bug hunting has become an industry worth millions of dollars.

There are now potentially hundreds of bug bounty programmes in operation. While a fair proportion of them are run by tech’s big names – including Google, AT&T, Microsoft and Mozilla – several are run by heavyweights from the wider commercial world, including ABN AMRO and Rabobank in the financial services sector, General Motors, Starbucks, United Airlines and many others. Even US government departments are getting in on the act.

The amounts paid for bug bounties vary tremendously. At the lower end, some companies offer $10 per bug, while others have paid out over $110,000 for the discovery of a single flaw. Others are prepared to offer still more: Microsoft has put a ceiling of $250,000 on payments for critical bugs in Window 10. Some of the more established bug bounty programmes have grown to the point where millions are handed out annually: Google’s, for example, paid out nearly $3m last year.

The concept of the bug bounty has matured to the extent that third parties offer to run programmes on behalf of companies that don’t want to administer them themselves. HackerOne, for example, has uncovered 50,000 vulnerabilities to date, and predicts it could be administering $100m of bounties by 2020.

The not-for-profit Open Bug Bounty project is another conduit between companies and individuals that identify flaws in their products. It allows security researchers to report any vulnerabilities they find, get them verified by Open Bug Bounty, and then have them notified to website owners.

Before deciding to embark on a bug bounty programme, organisations need to ready themselves for the change in mindset that it can bring. Most companies aren’t used to taking a public stance to their vulnerabilities and sharing information about their ecosystem with people who want to find flaws in it. Businesses need to be prepared for an honest dialogue with the bug finders working on their systems.

While headlines around bug bounty schemes have generally been positive, not everyone is ready to go public when they pay for flaws. Handily, there’s another option for those who would rather be less open about their programmes: private bug bounties.

This approach sees individual bug hunters invited personally to join private schemes and follow tightly worded briefs. By its nature, running a public bounty attracts a greater number of bug finders – and therefore potentially a greater volume of bugs – but it also attracts publicity.

Private schemes attract less attention, but potentially find fewer flaws too. Companies need to weigh up which of the two they’re more comfortable with. It’s possible for businesses to start off with a private scheme and then convert it to a public one once they’re on top of how it works: Netflix is one of the companies which has done just that.

Choosing whether or not to run a bug bounty is one thing, but deciding what to do with the vulnerabilities that it uncovers is quite another. Companies using bug bounties should have proper processes in place to govern their next steps after a vulnerability is discovered.

A few companies have found themselves on the wrong end of negative headlines after they allowed disclosed bugs to remain open for months and the testers that found the bugs in question went public.