Debunking 4 Most Common Myths About Bug Bounty

Bug bounty programs have become very popular these days. It’s a way that usually big tech companies adopt to gather a large crowd and use their help to discover and fix security issues in their applications. Bounty hunters are typically paid a heavy reward, based on the kind of vulnerability discovered. In fact, Google’s bug bounty paid out a hefty $2.9 million in bug bounties in 2017. Rewards typically range from $500 to $100,000 or more depending on the type of bug and the amount of time spent.

Bug bounties have a lot of misconceptions associated with them. In this article, we’ll list four of them.

Bug Bounty Programs Have to be Public

Bounty programs don’t necessarily have to be public. In fact, most of them are private. In a private program, a group of people is selected based on a specific set of requirements regarding specialist skills, experience, location, and availability. They are then invited to find the bugs while every report, every participant, every bounty reward, and every aspect of the program remains private. Organizations prefer private programs over public ones mainly due to budget constraints. That’s also why they go for bounty programs in the first place as they look for a cheap alternative for hiring a penetration testing company. While public programs gather the largest number of security brains, organizations are required to forecast the bounty budget, brief legal and marketing teams, streamline DevSecOps communications and ensure that the vulnerability handling process is well-rehearsed.  

Bug Bounties Have to be Continuous Throughout the Year

That is certainly not true. Just like the control over the number of hackers involved in a program, you can choose a time-frame in which bugs need to be fixed. While many organizations run continuous bug bounty programs, the majority of them choose to run a time-limited program.

You Have to Award Bounties to Work with Hackers

While there is a competitive bounty market for hackers where they can win up to millions of dollars in bounty, there exists a way to receive vulnerabilities from outside with no financial incentive. It’s called the VDP (Vulnerability Disclosure Program). Its primary purpose is to receive vulnerabilities from external security researchers. In doing so, surprises like a vulnerability disclosure on twitter or through your customer service channels can be avoided.

Bug Bounties Don’t Encourage Developers to Communicate with Hackers

Developers get the bugs fixed and in order to do so, they need clarity. Instead of going through a 100-page PDF report or attending a 90-minute online seminar to review test results provided by a penetration testing company, bug bounty platforms allow developers to communicate with hackers in their time, in their way. With the ability to tag people, to assign a vulnerability to different groups, to add your contractors and vendors to a report – bug bounty platforms are designed to make communication and collaboration as streamlined and as simple as possible. These platforms can integrate with development tools to provide a direct line from the researchers to the internal development team.

Conclusion

The aim is not to imply that you should choose a bug bounty program over a penetration testing company or vice versa. That’s a debate for some other time. Because there are both pros and cons to these programs. The aim is to clear these common misconceptions that can be very misleading while making a relevant decision. I hope this article serves the purpose.