Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

// // //
10:00 AM
Connect Directly
E-Mail vvv

Beware the Bug Bounty

In recent months, bug-bounty programs have shifted from mitigating risk to inadvertently creating new liabilities for customers and vendors.

Bug-bounty programs have accelerated in the past few years. Many organizations — bewitched by bounty programs' promise of faster vulnerability identification, improved product security, and cost-effective outsourcing solutions — find themselves facing unanticipated vulnerabilities and unexpected threats. What at first appeared as a reliable quick fix to a big problem has instead become a new liability.

With validation requirements growing in complexity and compliance framework audit fatigue on the rise, no one can afford to jump into a bug-bounty program without careful and strategic consideration. Unfortunately, hidden risks abound. Bug-bounty programs:

  • Are not accredited third-party attestations, nor do they satisfy regulatory compliance requirements.
  • May quickly identify vulnerabilities but fall short in providing in-depth testing and fail to cover the entire attack surface.
  • Provide ethical hackers access to source code, which opens the door for adversaries to find vulnerabilities and freely exploit them for nefarious purposes.

Related Content:

Bug Bounty Hunters' Pro Tips on Chasing Vulns & Money

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

One of the most overlooked challenges is that bug-bounty program costs can easily spin out of control. This can happen due to the potentially unlimited number of identified vulnerabilities (paying the bounty), vulnerabilities used for nefarious purposes (compromise of regulated data), remediation of harmless vulnerabilities (wasted development time), and legal judgments (negligence in speed to remediate). 

Avoiding Pitfalls
The bug bounty is often seen by executive leadership as a silver bullet that efficiently exposes vulnerabilities using an outsourced, pay-as-you-go model. As a result, many programs overemphasize a bounty's value within a comprehensive security strategy. It's too easy for bottom-line decision-makers to approve these programs without informed caution and diligence. There are just too many what-ifs.

Perhaps the most fundamental problem is human nature, which raises several questions. What if one of your ethical hackers isn't so ethical? What if a negligent bounty hunter simply fails to report a bug? What if that's the one bug that the company can't afford to leave undetected and finds out later the hard way? What if a company relies too heavily on bug bounty programs as a form of testing but neglects to attest in accordance with PCI, FedRAMP, or other regulatory compliance frameworks?

In a recent forensic review, we came across a situation where a bounty hunter failed to disclose a vulnerability that was easily hacked two months later. This resulted in a huge compromise of high-value client data that was stolen and sold, right under the nose of the program that was supposed to prevent this.

Fortune 500 companies in particular are noticing an increase in attacks on the applications they've tried to protect with bug bounties. Attack vectors in high-production environments are expanding in concert with higher payouts for bounties and more visible targets of opportunity. When the quantity goes up, so does the potential for white-hat cheating, and triggering unauthorized access to internal and external bad actors lurking on the sidelines.

The vast majority of good-guy hackers are on our side. However, the typical bug-bounty provides incentive to monetize single vulnerabilities for quick payout. This mercenary practice in theory is productive, but it can't be allowed to outweigh the need for proper vetting or the assurance that the program covers the full attack-surface spectrum.

With so many breaches, the exposure to legal liabilities is tremendous. There is too much established case law now that holds companies accountable. More and more, failed bug-bounty programs come up in the legal discovery process and are used to prove negligence. 

Making It Work
Despite the pitfalls, we see these programs every day and know that bug bounties can still work and can play an important role in enterprise risk management.

First, we recommend delegating bug-bounty oversight to external legal teams. We're not just looking for bugs but in protecting the organization's exposure to legal and regulatory liabilities, as we see legal exposure for not remediating program identified vulnerabilities in a timely fashion. Courts will be looking to see that the organization took reasonable measures in remediating identified vulnerabilities in a timely manner and holding the organization accountable. There's no ability to hold a bounty hunter accountable or responsible for missing or failing to report a bug. 

Most importantly, by their very nature and as an offensive strategy, bug-bounty programs are limited in what they can detect, and it's a given that other cyber issues will be overlooked. We routinely come across Severity 1 vulnerabilities at companies that have been relying on bug bounty programs to assure their security. Sometimes the programs lose focus, sometimes the prospective return on investment is no longer seen as beneficial, and sometimes they just stop. Perhaps the budget breaks with too many payouts, and the doors open for exploitation.

Bounties Augment Security
Management should buy in to bug-bounty programs as augmentation to a comprehensive security strategy. It's the fine-tuning between aggressive bug hunting and a dynamic, scalable security program that keeps everything in holistic balance.

Start with a layer of legal protection. Engage your internal counsel to review the program and determine if best course is to work with external counsel so that your organization is protected with legal privilege. Then, make sure your bug-bounty program and vulnerability remediation processes are in lockstep. There are available solution integrations that can aid in achieving this goal. The common denominator is coordination of stakeholders, business leaders, and delivery resources, and establishing effective planning and communication.

Bug bounties have their place. With all eyes on improving CI/CD pipelines, DevSecOps, and software development life cycles in multicloud environments, we need to streamline our bug-hunting efforts within today's more sophisticated security programs.


Joseph Neumann, Cyber Executive Advisor, CoalfireJoseph is a Cyber Executive Advisor for the Threat Vulnerability and Management practice at Coalfire. Joe's primary focuses as a Director were focused one FedRAMP compliance based testing and standardizations around penetration ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.