Bug-bounty programs have accelerated in the past few years. Many organizations — bewitched by bounty programs' promise of faster vulnerability identification, improved product security, and cost-effective outsourcing solutions — find themselves facing unanticipated vulnerabilities and unexpected threats. What at first appeared as a reliable quick fix to a big problem has instead become a new liability.
With validation requirements growing in complexity and compliance framework audit fatigue on the rise, no one can afford to jump into a bug-bounty program without careful and strategic consideration. Unfortunately, hidden risks abound. Bug-bounty programs:
- Are not accredited third-party attestations, nor do they satisfy regulatory compliance requirements.
- May quickly identify vulnerabilities but fall short in providing in-depth testing and fail to cover the entire attack surface.
- Provide ethical hackers access to source code, which opens the door for adversaries to find vulnerabilities and freely exploit them for nefarious purposes.
One of the most overlooked challenges is that bug-bounty program costs can easily spin out of control. This can happen due to the potentially unlimited number of identified vulnerabilities (paying the bounty), vulnerabilities used for nefarious purposes (compromise of regulated data), remediation of harmless vulnerabilities (wasted development time), and legal judgments (negligence in speed to remediate).
The bug bounty is often seen by executive leadership as a silver bullet that efficiently exposes vulnerabilities using an outsourced, pay-as-you-go model. As a result, many programs overemphasize a bounty's value within a comprehensive security strategy. It's too easy for bottom-line decision-makers to approve these programs without informed caution and diligence. There are just too many what-ifs.
Perhaps the most fundamental problem is human nature, which raises several questions. What if one of your ethical hackers isn't so ethical? What if a negligent bounty hunter simply fails to report a bug? What if that's the one bug that the company can't afford to leave undetected and finds out later the hard way? What if a company relies too heavily on bug bounty programs as a form of testing but neglects to attest in accordance with PCI, FedRAMP, or other regulatory compliance frameworks?
In a recent forensic review, we came across a situation where a bounty hunter failed to disclose a vulnerability that was easily hacked two months later. This resulted in a huge compromise of high-value client data that was stolen and sold, right under the nose of the program that was supposed to prevent this.
Fortune 500 companies in particular are noticing an increase in attacks on the applications they've tried to protect with bug bounties. Attack vectors in high-production environments are expanding in concert with higher payouts for bounties and more visible targets of opportunity. When the quantity goes up, so does the potential for white-hat cheating, and triggering unauthorized access to internal and external bad actors lurking on the sidelines.
The vast majority of good-guy hackers are on our side. However, the typical bug-bounty provides incentive to monetize single vulnerabilities for quick payout. This mercenary practice in theory is productive, but it can't be allowed to outweigh the need for proper vetting or the assurance that the program covers the full attack-surface spectrum.
With so many breaches, the exposure to legal liabilities is tremendous. There is too much established case law now that holds companies accountable. More and more, failed bug-bounty programs come up in the legal discovery process and are used to prove negligence.
Making It Work
Despite the pitfalls, we see these programs every day and know that bug bounties can still work and can play an important role in enterprise risk management.
First, we recommend delegating bug-bounty oversight to external legal teams. We're not just looking for bugs but in protecting the organization's exposure to legal and regulatory liabilities, as we see legal exposure for not remediating program identified vulnerabilities in a timely fashion. Courts will be looking to see that the organization took reasonable measures in remediating identified vulnerabilities in a timely manner and holding the organization accountable. There's no ability to hold a bounty hunter accountable or responsible for missing or failing to report a bug.
Most importantly, by their very nature and as an offensive strategy, bug-bounty programs are limited in what they can detect, and it's a given that other cyber issues will be overlooked. We routinely come across Severity 1 vulnerabilities at companies that have been relying on bug bounty programs to assure their security. Sometimes the programs lose focus, sometimes the prospective return on investment is no longer seen as beneficial, and sometimes they just stop. Perhaps the budget breaks with too many payouts, and the doors open for exploitation.
Bounties Augment Security
Management should buy in to bug-bounty programs as augmentation to a comprehensive security strategy. It's the fine-tuning between aggressive bug hunting and a dynamic, scalable security program that keeps everything in holistic balance.
Start with a layer of legal protection. Engage your internal counsel to review the program and determine if best course is to work with external counsel so that your organization is protected with legal privilege. Then, make sure your bug-bounty program and vulnerability remediation processes are in lockstep. There are available solution integrations that can aid in achieving this goal. The common denominator is coordination of stakeholders, business leaders, and delivery resources, and establishing effective planning and communication.
Bug bounties have their place. With all eyes on improving CI/CD pipelines, DevSecOps, and software development life cycles in multicloud environments, we need to streamline our bug-hunting efforts within today's more sophisticated security programs.