Bug bounty programs are increasingly becoming very popular and are forming part of many organizations’ strategies to discover security issues within their applications. Organizations of all sizes and verticals have initiated bug bounty programs, including Google, Facebook, Uber, AirBnB, Starbucks, and countless others. Going by the "star boards" and "thank you" messages on bug bounty pages, we can gather that these have been successful and the organizations have managed to find a good number of vulnerabilities, that too, in a very inexpensive manner. It would make everyone believe that a bug bounty program is the way to go for finding security vulnerabilities in their applications.
But is there more to it?
Certainly! While a bug bounty program will help you catch those nasty vulnerabilities at a relatively low cost, it should not be your primary security testing strategy. By exposing a vulnerable application to the users, whether internal or external, you are susceptible to data thefts and application hacks. Not all hackers will be "ethical" hackers and they may exploit the vulnerabilities they identify for malicious gains rather than reporting those to you. This could lead to serious consequences including business loss, reputation loss, and legal proceedings. This could be particularly severe for smaller to mid-size organization who do not have enough backup, infrastructure, and tools, leaving them in a completely irrecoverable state impacting their business operations.
So, there is no substitute to a formal and periodic security testing cycle when it comes to ensuring the security of your applications. Security testing, when done by the right professionals with the right tools and techniques, can ensure that most security vulnerabilities are caught upfront providing organizations an opportunity to fix those before the application is rolled out to end users. The security testing should be carried out before the initial launch of the application and repeated, at a minimum, before all major releases.
However, with continuously evolving technology, hacking techniques, and continuous changes to applications, there could still be potential security flaws even after doing periodic security tests. The bug bounty program could be adopted as a good secondary security strategy to uncover vulnerabilities where the RoI for doing formal security testing falls below acceptable levels. Such vulnerabilities should be considered as an acceptable business risk and should be addressed using bug bounty programs.