Beware the Bug Bounty

In recent months, bug-bounty programs have shifted from mitigating risk to inadvertently creating new liabilities for customers and vendors.

Joseph Neumann & Doug Hudson, Cyber Executive Advisor/Senior Director, Coalfire

April 20, 2021

5 Min Read

Bug-bounty programs have accelerated in the past few years. Many organizations — bewitched by bounty programs' promise of faster vulnerability identification, improved product security, and cost-effective outsourcing solutions — find themselves facing unanticipated vulnerabilities and unexpected threats. What at first appeared as a reliable quick fix to a big problem has instead become a new liability.

With validation requirements growing in complexity and compliance framework audit fatigue on the rise, no one can afford to jump into a bug-bounty program without careful and strategic consideration. Unfortunately, hidden risks abound. Bug-bounty programs:

  • Are not accredited third-party attestations, nor do they satisfy regulatory compliance requirements. 

  • May quickly identify vulnerabilities but fall short in providing in-depth testing and fail to cover the entire attack surface. 

  • Provide ethical hackers access to source code, which opens the door for adversaries to find vulnerabilities and freely exploit them for nefarious purposes.

One of the most overlooked challenges is that bug-bounty program costs can easily spin out of control. This can happen due to the potentially unlimited number of identified vulnerabilities (paying the bounty), vulnerabilities used for nefarious purposes (compromise of regulated data), remediation of harmless vulnerabilities (wasted development time), and legal judgments (negligence in speed to remediate).

Avoiding Pitfalls
The bug bounty is often seen by executive leadership as a silver bullet that efficiently exposes vulnerabilities using an outsourced, pay-as-you-go model. As a result, many programs overemphasize a bounty's value within a comprehensive security strategy. It's too easy for bottom-line decision-makers to approve these programs without informed caution and diligence. There are just too many what-ifs.

Perhaps the most fundamental problem is human nature, which raises several questions. What if one of your ethical hackers isn't so ethical? What if a negligent bounty hunter simply fails to report a bug? What if that's the one bug that the company can't afford to leave undetected and finds out later the hard way? What if a company relies too heavily on bug bounty programs as a form of testing but neglects to attest in accordance with PCI, FedRAMP, or other regulatory compliance frameworks?

In a recent forensic review, we came across a situation where a bounty hunter failed to disclose a vulnerability that was easily hacked two months later. This resulted in a huge compromise of high-value client data that was stolen and sold, right under the nose of the program that was supposed to prevent this.

Fortune 500 companies in particular are noticing an increase in attacks on the applications they've tried to protect with bug bounties. Attack vectors in high-production environments are expanding in concert with higher payouts for bounties and more visible targets of opportunity. When the quantity goes up, so does the potential for white-hat cheating, and triggering unauthorized access to internal and external bad actors lurking on the sidelines.

The vast majority of good-guy hackers are on our side. However, the typical bug-bounty provides incentive to monetize single vulnerabilities for quick payout. This mercenary practice in theory is productive, but it can't be allowed to outweigh the need for proper vetting or the assurance that the program covers the full attack-surface spectrum.

With so many breaches, the exposure to legal liabilities is tremendous. There is too much established case law now that holds companies accountable. More and more, failed bug-bounty programs come up in the legal discovery process and are used to prove negligence.

Making It Work
Despite the pitfalls, we see these programs every day and know that bug bounties can still work and can play an important role in enterprise risk management.

First, we recommend delegating bug-bounty oversight to external legal teams. We're not just looking for bugs but in protecting the organization's exposure to legal and regulatory liabilities, as we see legal exposure for not remediating program identified vulnerabilities in a timely fashion. Courts will be looking to see that the organization took reasonable measures in remediating identified vulnerabilities in a timely manner and holding the organization accountable. There's no ability to hold a bounty hunter accountable or responsible for missing or failing to report a bug.

Most importantly, by their very nature and as an offensive strategy, bug-bounty programs are limited in what they can detect, and it's a given that other cyber issues will be overlooked. We routinely come across Severity 1 vulnerabilities at companies that have been relying on bug bounty programs to assure their security. Sometimes the programs lose focus, sometimes the prospective return on investment is no longer seen as beneficial, and sometimes they just stop. Perhaps the budget breaks with too many payouts, and the doors open for exploitation.

Bounties Augment Security
Management should buy in to bug-bounty programs as augmentation to a comprehensive security strategy. It's the fine-tuning between aggressive bug hunting and a dynamic, scalable security program that keeps everything in holistic balance.

Start with a layer of legal protection. Engage your internal counsel to review the program and determine if best course is to work with external counsel so that your organization is protected with legal privilege. Then, make sure your bug-bounty program and vulnerability remediation processes are in lockstep. There are available solution integrations that can aid in achieving this goal. The common denominator is coordination of stakeholders, business leaders, and delivery resources, and establishing effective planning and communication.

Bug bounties have their place. With all eyes on improving CI/CD pipelines, DevSecOps, and software development life cycles in multicloud environments, we need to streamline our bug-hunting efforts within today's more sophisticated security programs.

About the Author(s)

Joseph Neumann & Doug Hudson

Cyber Executive Advisor/Senior Director, Coalfire

Joseph Neumann, Cyber Executive Advisor, Coalfire
Joseph is a Cyber Executive Advisor for the Threat Vulnerability and Management practice at Coalfire. Joe's primary focuses as a Director were focused one FedRAMP compliance based testing and standardizations around penetration testing. Joe brings over 20 years of information security experience working with the Department of Defense and other government Intelligence Agencies. He has extensive experience with high security environments and Red Teaming against a variety of Department of Defense and Intelligence Community networks. His work at the DoD ranged from close access physical security assessments to complex Red Team network engagements against Department of Defense Cyber Defense teams. During the initial creation of Cyber Protection and Defense teams, Joe worked extensively training and testing DoD blue teams through us of adversarial tactics and engagements. He's a decorated military veteran that developed and shaped the Army's network hunt and threat emulation operations and doctrine within the Cyber Protection teams. LinkedIn.

Doug Hudson, Senior Director, Coalfire
Doug focuses on advising the board, C-suite, and information risk executives and related advisory committees on risk management, cybersecurity strategy, governance, overall technology management, privacy and compliance. He brings Coalfire more than 20 years experience of working in strict and ever-changing regulatory environments, including financial services, retail operations, telecom, cloud/tech, healthcare and pharmaceuticals. For the past five years at Coalfire, Doug has led teams delivering on projects for some of Coalfire's largest clients helping them navigate complex regulatory environments (i.e. FFIEC, GDPR, CMMC, etc.). Prior to joining Coalfire, Doug was an Enterprise Security Architect Sr. Manager within Accenture's Security Strategy, Transformation and Risk Management Practice, leading high-profile projects, for well known financial, healthcare, and governmental institutions contributing to the delivery of over $1 billion dollars in revenue. He regularly speaks on cyber risk management topics at security conferences and leads Coalfire's Incident Management offering. LinkedIn.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights