fbpx

The Secrets of Cybersecurity: Bug Bounty Programs’ value for business

29/ 03/ 2021
  Bug bounty programs: description. Bug bounty programs invite independent IT-specialists (ethical hackers) to detect vulnerabilities in the web resources of the companies that order these programs. Ethical hackers get financial remuneration from these companies and the bonus depends on the type of identified vulnerability and its severity. The ordering companies represent various industries while the organizers of bug bounty programs are specialized platforms such as HackenProof. The demand for bug bounty programs is expressed mostly by giants such as Apple, Android, Goldman Sachs, etc. Based on the customers’ requests, the platforms develop the rules for ethical hackers specifying the vulnerabilities and issues which companies strive to eliminate. Bug bounty programs may be permanent or limited in time. Participation in these programs is free for every ethical hacker unless customers specify that bug bounty programs must be private. IT-specialists participate in bug bounty programs not only due to financial considerations but reputational as well. These programs are a great opportunity for IT-specialists to demonstrate their professional skills and deep knowledge to potential employers. For some ethical hackers participation in bug bounty programs constitutes a source of fixed income. However, these programs should not be viewed as permanent work for ethical hackers since, according to HackenProof, only 10% of specialists registered on bug bounty programs get real financial remuneration for identified vulnerabilities. Companies use the services provided by external specialists within the scope of bug bounty programs when the resources of their internal staff are not sufficient for addressing existing as well as potential digital threats or when they launch new web-resources or update the existing ones. In the latter case, companies strive to detect vulnerabilities before they may be exploited by hackers for committing cyberattacks. At the same time, such market giants as Google, Microsoft, Facebook, and others actively develop their own bug bounty programs although they have their own strong cybersecurity staff. For example, Microsoft annual cybersecurity budget equals more than $1 billion. Nevertheless, these companies launch and maintain their own bug bounty programs to invite IT-professionals who can apply creativity and a non-standard approach to detect vulnerabilities. As a result, these specialists can reveal the issues that might have remained unnoticed by the internal cybersecurity staff of these companies due to certain limitations and rules. Generally, the effectiveness of bug bounty programs depends on the client’s capacity to correct or fully eliminate the detected system vulnerabilities. Importance of bug bounty programs for companies. By ordering bug bounty programs companies can get ahead of hackers to prevent the exploitation by the latter of their system vulnerabilities. These programs constitute the opportunity for business players to prevent cyberattacks by using financial stimuli to motivate hackers to notify them about revealed vulnerabilities. Most companies that order bug bounty programs get first notifications about revealed vulnerabilities in less than 24 hours. A great advantage of bug bounty programs for businesses is their availability. In most cases, the reward for a detected vulnerability ranges between $50 and a few thousand USD while the price of an hour of work of a qualified cybersecurity consultant ranges between $1000 and $5000. For example, the financial reward paid to ethical hackers for revealed critical system vulnerability of the cryptocurrency exchange Kuna within the bug bounty program on the HackenProof platform equals $5000 while potential financial damage experienced by Kuna in case of exploitation of this vulnerability may reach 7-digits figures. The companies ordering bug bounty program pay only for detected vulnerabilities and, thus, in case the program does not bring desired outcomes, these businesses do not face any financial expenditures.  However, companies should realize that there are no bug bounty programs that can guarantee the detection of absolutely all vulnerabilities since, due to the impact of various factors, the activity of hackers within these programs may be low or their efforts may be focused on other directions. That is why to maximize the advantages created by bug bounty programs companies should invite professional cybersecurity consultants to regularly check their security through the conduct of penetration testing (pentest). Only by combining these two methods of addressing cyber threats companies may mitigate the risks for their digital security. Examples of successful bug bounty programs in the modern digital environment. Both well-known brands and innovative startups order bug bounty programs. A successful bug bounty program not only allows a company to get information about existing and potential vulnerabilities but also effectively eliminate them. In February 2021, Microsoft paid a $50,000 reward to the bug bounty hacker for the detection of vulnerability the exploitation of which could lead to users’ accounts steal. The researcher found that users’ accounts could be hijacked by bypassing the security mechanisms at the stage of password recovery. Although in practice the exploitation of this vulnerability requires huge server capacity, Microsoft defined the vulnerability as critical and paid solid remuneration to the hacker. GitHub paid a $25,000 reward to the specialist from Google who participated in a bug bounty program for the detected vulnerability related to the communication system between repositories and the workflow automation software GitHub Actions that was used by organizations. GitHub will continue checking the security of its products via bug bounty programs. The case of GTA Online is a great example of the role of a bug bounty program in eliminating technical bugs. A player whose name is unknown detected a technical bug in the product by correcting which the developer of this game, the company Rockstar, reduced the load time for users by 70%. The company paid the unknown specialist a $10,000 reward under the conditions of its bug bounty program. At the time of rapid digitization of the economy and the switch from traditional financial instruments to crypto-assets, the popularity of crypto exchanges and wallets both in developed and developing countries is rapidly increasing. They accumulate the assets of users the value of which in fiat currencies may reach 10-digit figures and more and, thus, these exchanges and wallets become a lucrative target for cybercriminals. HackenProof project specializes in organizing bug bounty programs for companies functioning in the blockchain industry. By launching bug bounty programs on the HackenProof platform such companies as Gate.io, CoinGecko, FTX, and others received information about their vulnerabilities and could avoid huge financial losses and reputational damage by eliminating the bugs in question. The rising popularity of bug bounty programs among companies leads to an increase in the number of successful cases related to the detection of vulnerabilities in companies’ products by ethical hackers. Only the businesses that can be a step ahead of cybercriminals in the field of cybersecurity have a chance to preserve their strong image in the digitized environment.

Bug bounty programs: description

Bug bounty programs invite independent IT-specialists (ethical hackers) to detect vulnerabilities in the web resources of the companies that order these programs. Ethical hackers get financial remuneration from these companies and the bonus depends on the type of identified vulnerability and its severity. The ordering companies represent various industries while the organizers of bug bounty programs are specialized platforms such as HackenProof. The demand for bug bounty programs is expressed mostly by giants such as Apple, Android, Goldman Sachs, etc. Based on the customers’ requests, the platforms develop the rules for ethical hackers specifying the vulnerabilities and issues which companies strive to eliminate. Bug bounty programs may be permanent or limited in time. Participation in these programs is free for every ethical hacker unless customers specify that bug bounty programs must be private.

IT-specialists participate in bug bounty programs not only due to financial considerations but reputational as well. These programs are a great opportunity for IT-specialists to demonstrate their professional skills and deep knowledge to potential employers. For some ethical hackers participation in bug bounty programs constitutes a source of fixed income. However, these programs should not be viewed as permanent work for ethical hackers since, according to HackenProof, only 10% of specialists registered on bug bounty programs get real financial remuneration for identified vulnerabilities. Companies use the services provided by external specialists within the scope of bug bounty programs when the resources of their internal staff are not sufficient for addressing existing as well as potential digital threats or when they launch new web-resources or update the existing ones. In the latter case, companies strive to detect vulnerabilities before they may be exploited by hackers for committing cyberattacks.

At the same time, such market giants as Google, Microsoft, Facebook, and others actively develop their own bug bounty programs although they have their own strong cybersecurity staff. For example, Microsoft annual cybersecurity budget equals more than $1 billion. Nevertheless, these companies launch and maintain their own bug bounty programs to invite IT-professionals who can apply creativity and a non-standard approach to detect vulnerabilities. As a result, these specialists can reveal the issues that might have remained unnoticed by the internal cybersecurity staff of these companies due to certain limitations and rules. Generally, the effectiveness of bug bounty programs depends on the client’s capacity to correct or fully eliminate the detected system vulnerabilities.

Importance of bug bounty programs for companies

By ordering bug bounty programs companies can get ahead of hackers to prevent the exploitation by the latter of their system vulnerabilities. These programs constitute the opportunity for business players to prevent cyberattacks by using financial stimuli to motivate hackers to notify them about revealed vulnerabilities. Most companies that order bug bounty programs get first notifications about revealed vulnerabilities in less than 24 hours.

A great advantage of bug bounty programs for businesses is their availability. In most cases, the reward for a detected vulnerability ranges between $50 and a few thousand USD while the price of an hour of work of a qualified cybersecurity consultant ranges between $1000 and $5000. For example, the financial reward paid to ethical hackers for revealed critical system vulnerability of the cryptocurrency exchange Kuna within the bug bounty program on the HackenProof platform equals $5000 while potential financial damage experienced by Kuna in case of exploitation of this vulnerability may reach 7-digits figures. The companies ordering bug bounty program pay only for detected vulnerabilities and, thus, in case the program does not bring desired outcomes, these businesses do not face any financial expenditures. 

However, companies should realize that there are no bug bounty programs that can guarantee the detection of absolutely all vulnerabilities since, due to the impact of various factors, the activity of hackers within these programs may be low or their efforts may be focused on other directions. That is why to maximize the advantages created by bug bounty programs companies should invite professional cybersecurity consultants to regularly check their security through the conduct of penetration testing (pentest). Only by combining these two methods of addressing cyber threats companies may mitigate the risks for their digital security.

Examples of successful bug bounty programs in the modern digital environment

Both well-known brands and innovative startups order bug bounty programs. A successful bug bounty program not only allows a company to get information about existing and potential vulnerabilities but also effectively eliminate them. In February 2021, Microsoft paid a $50,000 reward to the bug bounty hacker for the detection of vulnerability the exploitation of which could lead to users’ accounts steal. The researcher found that users’ accounts could be hijacked by bypassing the security mechanisms at the stage of password recovery. Although in practice the exploitation of this vulnerability requires huge server capacity, Microsoft defined the vulnerability as critical and paid solid remuneration to the hacker. GitHub paid a $25,000 reward to the specialist from Google who participated in a bug bounty program for the detected vulnerability related to the communication system between repositories and the workflow automation software GitHub Actions that was used by organizations. GitHub will continue checking the security of its products via bug bounty programs.

The case of GTA Online is a great example of the role of a bug bounty program in eliminating technical bugs. A player whose name is unknown detected a technical bug in the product by correcting which the developer of this game, the company Rockstar, reduced the load time for users by 70%. The company paid the unknown specialist a $10,000 reward under the conditions of its bug bounty program.

At the time of rapid digitization of the economy and the switch from traditional financial instruments to crypto-assets, the popularity of crypto exchanges and wallets both in developed and developing countries is rapidly increasing. They accumulate the assets of users the value of which in fiat currencies may reach 10-digit figures and more and, thus, these exchanges and wallets become a lucrative target for cybercriminals. HackenProof project specializes in organizing bug bounty programs for companies functioning in the blockchain industry. By launching bug bounty programs on the HackenProof platform such companies as Gate.io, CoinGecko, FTX, and others received information about their vulnerabilities and could avoid huge financial losses and reputational damage by eliminating the bugs in question.

The rising popularity of bug bounty programs among companies leads to an increase in the number of successful cases related to the detection of vulnerabilities in companies’ products by ethical hackers. Only the businesses that can be a step ahead of cybercriminals in the field of cybersecurity have a chance to preserve their strong image in the digitized environment.

If you have found a spelling error, please, notify us by selecting that text and pressing Ctrl+Enter.

Start
in the Telegram bot
Read articles. Share in social networks
0 Shares

Spelling error report

The following text will be sent to our editors: