bug bounty program
companies use bug bounty programs
Bug bounty programs give companies the ability to harness a large group of hackers in order to find bugs in their code. This gives them access to a larger number of hackers or testers than they would be able to access on a one-on-one basis. It can also increase the chances that bugs are found and reported to them before malicious hackers can exploit them.
It can also be a good public relations choice for a firm. As bug bounties have become more common, having a bug bounty program can signal to the public and even regulators that an organization has a mature security program. This trend is likely to continue, as some have started to see bug bounty programs as an industry standard which all organizations should invest in.
Why do researchers and hackers participate in bug bounty programs?
Finding and reporting bugs via a bug bounty program can result in both cash bonuses and recognition. In some cases, it can be a great way to show real-world experience when you’re looking for a job, or can even help introduce you to folks on the security team inside an organization.
This can be full time income for some folks, income to supplement a job, or a way to show off your skills and get a full time job.
It can be fun. It’s a great chance to test out your skills against massive corporations and government agencies.
disadvantages of bug bounty programs for organizations
These programs are only beneficial if the program results in the organization finding problems that they weren’t able to find themselves. If the organization isn’t mature enough to be able to quickly remediate identified issues, a bug bounty program isn’t the right choice for their organization.
Also, any bug bounty program is likely to attract a large number of submissions, many of which may not be high-quality submissions. An organization needs to be prepared to deal with the increased volume of alerts, and the possibility of a low signal to noise ratio.
Additionally, if the program doesn’t attract enough participants (or participants with the wrong skill set, and thus participants aren’t able to identify any bugs), the program isn’t helpful for the organization. The vast majority of bug bounty participants concentrate on website vulnerabilities, while only a few opt to look for operating system vulnerabilities.
This is likely due to the fact that hacking operating systems (like network hardware and memory) requires a significant amount of highly specialized expertise. This means that companies may see significant return on investment for bug bounties on websites, and not for other applications, particularly those which require specialized expertise.
This also means that organizations which need to examine an application or website within a specific time frame might not want to rely upon a bug bounty as there’s no guarantee of when or if they receive reports.
alternatives to bug bounty programs
First, organizations should have a vulnerability disclosure program. Essentially, this provides a secure channel for researchers to contact the organization about identified security vulnerabilities, even if they do not pay the researcher. Having an identified point of contact can be helpful as it can immediately filter requests to the security team, rather than a communications team which may not know how seriously to treat the report. It can also encourage researchers to report vulnerabilities when found. Typically this also includes a framework for how to handle intake, mitigation, and any remediation measures.
Additionally, organizations may opt to hire a penetration testing firm to perform a time-limited test of specific systems or applications. The pen testers will have a curated, directed target and will produce a report at the end of the test.
This will ensure that the company gets a team of highly skilled, trusted hackers at a known price. They can also request any specialized expertise which they need, as well as ensuring the test is private, rather than publicly accessible.
Bug Bounty Awards
- Awards may be greater:
- based on the potential impact of the security vulnerability
- for well-written reports with complete reproduction instructions / proof-of-concept (PoC) material. See the eligible report requirements above.
- if a functional mitigation or fix is proposed along with the reported vulnerability.
- Intel will award a bounty award for the first eligible report of a security vulnerability.
Awards are limited to one (1) bounty award per eligible root-cause vulnerability.
Intel will award a bounty from $500 to $100,000 USD depending on the vulnerability type and originality, quality, and content of the report.
Intel will publicly recognize awarded security researchers via Intel Security Advisories at or after the time of public disclosure of the vulnerability, in coordination with the security researcher who reported the vulnerability.
Award amounts may change with time. Past rewards do not necessarily guarantee the same reward in the future.
While the use of ethical hackers to find bugs can be very effective, such programs can also be controversial. To limit potential risk, some organizations are offering closed bug bounty programs that require an invitation. Apple, for example, has limited bug bounty participation to few dozen researchers.