It's been about a decade since the hype for bug-bounty programs first started going supernova, but the jury is still out on the effectiveness of them. According to Katie Moussouris, founder and CEO of Luta Security, the average organization struggles to squeeze meaningful security results from bug bounties, and continue to wrestle with execution.
Bug-bounty programs are certainly more mainstream than ever, with bounties popular at far more than just the big-name tech companies now. Product security and enterprise cybersecurity professionals at a growing range of organizations increasingly turn to such programs to act as an application security backstop, often fueled by the convenience and sales machine of the growing bug-bounty platform market.
But while many organizations may start out strong with their bug-bounty programs, "at about the 18-month to two-year mark they start to collapse under their own weight," Moussouris tells Dark Reading.
This collapse is typically heralded by overwhelmed, overworked program managers at these companies who are unable to keep up with the volume of bugs submitted by bounty hunters, as well as software that still remains riddled with vulnerabilities and often plagued with the most basic of security flaws.
"I can tell you that bug bounties have been a great idea poorly executed for the last decade or so," says Moussouris, who will be discussing the challenges in a talk scheduled for Thursday, August 11 at Black Hat USA, "Bug Bounty Evolution: Not Your Grandson's Bug Bounty."
"I think that there's room for a ton of improvement, not just in how bug bounties are designed and executed, but also in the holistic picture of the ecosystem in which a bug bounty operates," she said.
One of the big systemic issues is the fact that many bug-bounty programs are implemented irrespective of the maturity of the underlying cybersecurity program's practices. That means asset visibility, vulnerability management, developer training, and more, says Moussouris. While bug bounties may be a great supplement to a solid base of application-security practices, some organizations mistakenly believe they can rely solely on the bounties to keep their software safe.
"From our perspective, we like to say no 'bug-bounty Botox.' We want you to be pretty on the inside," says Moussouris. "We want organizations to be not just prepared to fix the bugs thrown over the fence in a vuln-disclosure program or bug-bounty program, but to be actually looking at their core security investments. [They also need to be] using bug-bounty programs as an indicator of health of their overall security program. Because if you think about it, every bug is a symptom of an underlying disorder in their security system."
Design Bug Bounties for Good Security Outcomes
Moussouris says that the issue is a "systems-dynamic problem at its core." At Black Hat, she plans to explore recommendations on how security teams can design their holistic program to use bounties so that they create the deliberate security outcomes they want and which can be demonstrated in a meaningful and measurable way.
Ultimately, she believes a bug-bounty program shouldn't just highlight the low-hanging fruit that can be discovered from traditional application security practices, but also provide incentives for surfacing the complex, hard-to-find, and harder-to-exploit flaws.
Better Bug-Bounty Programs for Hunters
Moussouris says her talk will also tackle the flip side of the bug-bounty ecosystem — namely the fact that the system doesn't serve bug-bounty hunters very well either.
"It's like the worst gig economy job you could possibly get," she explains. "Worse than an Uber or Lyft job, because you get paid with every gig that you take with Uber and Lyft; you do not get paid for every single bug you find if you are a bug-bounty hunter. So both sides of this marketplace have been done wrong by the commercialization as it currently exists."
Ancillary to that, she'll explore what the security world needs to do to expand the marketplace for security labor, including taking a deep dive into apprenticeship models and building a pipeline for developing talent and education around vulnerability remediation and application security resilience.