Bug bounty programs have quickly gained steam as a way for companies to defend software interests without overspending on internal IT staffers. The premise is simple: Offer money or other compensation in exchange for well-documented, repeatable bug discoveries that are reported directly to enterprises instead of being shopped around underground markets. Businesses like Google, Dropbox and even Instagram have used these bounties to great effect, but for the moment, independent and vendor-sponsored bounties still dominate the market.
According to Threatpost, however, a new tool designed by HackerOne has emerged as the first step for companies looking to take charge of their own IT security by creating an in-house bug program. Here’s a quick overview.
Is Your Organization Ready?
Called the Vulnerability Coordination Maturity Model, HackerOne’s free assessment tool lets companies “determine where shortcomings may exist in areas such as executive support, communicating with customers and the industry, and incentives, before turning to established ISO standards.” In effect, the five-minute survey is designed to provide a rough baseline of corporate readiness to implement a bug bounty program — before companies start spending on infrastructure and integration.
As noted by Katie Moussouris of HackerOne, the complexity of software vulnerabilities in a cloud- and mobile-enabled world means that wanting a bounty program isn’t enough. “CSOs need to figure out if they’re prepared to receive vulnerability reports from the outside,” she told Threatpost. By providing determinations of basic, advanced or expert in each of the five top-level capabilities needed for an effective program, the HackerOne tool gives CSOs the concrete starting point required to effectively direct IT spend. For example, businesses can make sure they’re not overpaying for new vulnerabilities or unable to determine the root cause of specific bugs before going live.
Cost/Benefit of a Bug Bounty Program
But is the HackerOne tool — or a similar assessment — really necessary? Isn’t it possible for companies to simply task in-house IT with mimicking the structure of existing bounty programs and then handling any issues that emerge on a case-by-case basis? As noted by Data Center Journal, this isn’t a good idea for several reasons.
First is the influx of bug reports that come along with any new program. If made lucrative enough, both security pros and gifted amateurs will flood corporate gates with report after report — and not all these reports will contain useful information. Some will contain known vulnerabilities or variations on a theme, while others will mistake complex features or app functions for security holes. There’s also the problem of fishy reports or finders who claim they’ve discovered devastating bugs but want big money before they turn over the details. It never pays to wind up in this kind of standoff situation.
Enterprises also need to consider the competition. According to Engadget, security firm Zerodium is now offering a $1 million bounty for iOS 9 zero-day exploits. This isn’t a benevolent act to spare Apple and iOS 9 users the damage done by determined attackers. Instead, the firm would share exploit details with its clients to be used (and abused) as they see fit. Some experts argue that going to the affected company first is the morally upstanding choice, while others say that since Apple and other big names don’t pay out anything for bounties, it’s their own problem. For businesses new to world of bug bounties, it’s a wake-up call. This is a cutthroat, winner-take-all endeavor.
Here’s how it all shakes out: Software deployments are rapidly becoming both complex and quick to evolve, even for midsize companies and smaller enterprises. The result? It’s time to consider implementing a bug bounty program, but getting it right out of the gate is critical. Start with tools like HackerOne’s assessment offering and build from there — the bugs will come crawling.