The Ultimate Guide to Bug Bounty Platforms
The Ultimate Guide to Bug Bounty Platforms
Learn how bug bounty programs work to outsource continuous, cost-effective cybersecurity.
Join the DZone community and get the full member experience.Join For Free
It seems like not a week goes by without a news article that some company got hacked. Even tech giants, such as Facebook, Apple or Google are not immune from cybercriminals. Facts speak for themselves: according to the report compiled by the Center for Strategic and International Studies, nearly $600 bn has been lost to cybercrime in 2018 alone. As a result, global spending on cybersecurity has risen by 17% in the past 2 years and is projected to be at a record high $96 Bn in 2018.
Is there a way companies can effectively protect themselves from this menace? Well, today we are going to tell you about bug bounty platforms that have built themselves a reputation of being a cost-efficient solution to cybersecurity threats that companies face. We are going to explain how they work and what value bug bounty platforms bring to businesses around the world.
Before we describe how a typical bug bounty platform works, it is important to understand what the term “bug bounty program” means:
A bug bounty program is a process in which a company engages third-party cybersecurity experts (in the industry, they are called “white hat hackers” or “security researchers”) to test their software for vulnerabilities. For each vulnerability (bug) found, researchers receive a monetary reward (bounty). The company simply announces the Bug Bounty Policy scope of work (a document that includes all the details about the program) to the public and anyone can register and take part in the bug bounty program. These are so-called “Self Hosted Bug Bounty Programs”.
However, on practice, not every company can afford to host a bug bounty program on its own. Why? Well, there are a couple of reasons:
- Lack of publicity and brand credibility. Unless you are a large tech company, such as Apple, Google or Facebook few people know who you are. So, when you tell the whole world “Hurray, we’ve launched a bug bounty program” - few people will sign up. You are not on the “researchers radar” so to speak.
- The second reason is that in most cases, companies do not have the proper infrastructure or resources to process the flow of reports that come from researchers. Companies don’t have enough expertise to communicate with researchers and fix the vulnerabilities at the same time.
Lack of publicity and relevant qualified personnel means that most companies can’t properly host their own bug bounty programs. This is where bug bounty platforms, such as HackenProof come into play. These are companies that specialize in hosting bug bounty programs for other companies.
What Is a Bug Bounty Platform?
Any bug bounty platform consists of three main components:
- A dedicated ticket system, for processing vulnerability reports that are being sent by researchers.
An in-house team of cybersecurity experts who check and verify vulnerability reports (the process is called “triage”). Triage specialists also act as a communication bridge between researchers and clients.
- A community of white hat hackers. The larger the community, the stronger the bug bounty platform. This is one of the most important parts of the bug bounty platform.
A community of white hat hackers is precisely the reason why bug bounty platforms can host bug bounty programs on their own. They already have a loyal community of white hat hackers that are ready to test products that are hosted on a platform. This is the “super-power” of Bug Bounty Platforms.
How Does the Bug Bounty Process Actually Work?
First, the security team from a bug bounty platform helps a client to create “Bug Bounty Policy”. This document describes in detail every aspect of a bug bounty program - a list of applications or services that researchers are allowed to hack, Disclosure Terms & Rules that describe how exactly a bug should be reported on a platform, compensation details for vulnerabilities, “out of scope” section, etc.
Once that is done, a bug bounty platform publishes a program on its website and launches marketing activities to attract white hackers to participate in a program. From this point on, the bug bounty program is considered to be “live”.
Once, the program is live, researchers hack the assets that have been described in the Bug Bounty Policy and send bug reports through the bug bounty platform website.
A team of triage specialists checks whether the vulnerability is unique and valid (can be reproduced), and is within the scope of a program.
If a bug has been verified by the triage team, the researcher gets his bounty and a client receives a complete bug report, which describes in detail how to reproduce a vulnerability and what needs to be done to “fix the bug.”
Steps 3-5 are repeated over and over, as researchers find more vulnerabilities. Large companies can run bug bounty programs for months and sometimes even years. The number of bugs found in one bug bounty program can vary from a half dozen to a few hundred.
What is the advantage of a bug-bounty platform over a traditional cybersecurity consulting company that provides cybersecurity services?
Bug bounty platforms have several key advantages:
- Access to human capital: A conventional cybersecurity company has an average of 5-20 employees who will test your software. Whereas a Bug Bounty Platform has hundreds or even thousands of researchers from all over the world that specialize in various fields (web, mobile, blockchain protocols, payment systems, smart contracts, etc.). Bug bounty platforms have access to much more human capital than traditional cybersecurity services companies.
- Timeframe: A standard penetration test usually lasts for a couple of weeks or months, while the bug bounty program lasts for months or even years (and all this time the reporters will actively try to find vulnerabilities in your product). With such a long test timeframe, the chance of a bug “slipping by” is incredibly small.
- Compensation system: A standard compensation system in a penetration test is based on a process. Meaning that a client will pay regardless of how many bugs were found during the penetration test. While the compensation system in a bug bounty program is based on the number of confirmed vulnerabilities. So a client will only pay for vulnerabilities that have been checked and validated by the triage team.
Considering the fact that companies are increasingly using online services for their daily operations, they become more and more vulnerable to hacker attacks. Companies have to accept the fact that protection against cyber threats is no longer a discrete but a continuous problem. Hiding from it, or not having it on your “priority list” will add a great risk to one’s business.
Another risk is having a mindset that you can “build a great wall that hackers will never penetrate”. The problem with that mindset is that software is changing all the time. Each software update may contain potential “holes” that cybercriminals can exploit and damage your company.
As we’ve said before - bug bounty platforms employ a “crowd” of researchers from all over the world that specialize in different areas of cybersecurity. This approach means that your products will be constantly tested over and over for a prolonged period of time, by highly skilled cybersecurity experts. Bug bounty platforms, therefore, provide companies with a service that can cost-efficiently and continuously protect their products.
Opinions expressed by DZone contributors are their own.