Conservative enterprises have been tentative about joining forces with hackers, but third-party bug bounty platforms have proven that their vetting process ensures a highly qualified and trustworthy talent pool. Because security researchers are able to discover vulnerabilities and alert enterprises to flaws in applications before a breach, there is value in trusting ethical hackers.
Bugcrowd’s recent State of Bug Bounty report noted that many bug bounty programs are commonly run on third-party platforms that, “manage the operational end of the programs, bringing the research community together and handling the payment process, opening up the opportunity for more companies to successfully run bug bounty programs.”
While companies from Facebook and Google to Tesla and United Airlines have popularized bounty reward programs, more conservative enterprises outside of the technology industry, such as larger financial services and healthcare organizations, have not been as comfortable taking the leap of faith that the benefits of bounty programs outweigh the risks. This tentative response across industries outside of tech has led to the rise of private or invitation-only programs.
Jay Kaplan, CEO of Synack, said that for these more conservative enterprises, it is, “really important to have contractual obligations.” Companies want to know who they are dealing with, and a vetting process that includes background checks and behavioral interviews can winnow down the candidate pool to the most trustworthy prospects.
“Candidates need to be well versed in techniques, but a vetting process has to be about both skills and trust,” Kaplan said. The vast majority of enterprises want to know that the people they are dealing with can be trusted.
“Some companies,” Kaplan noted, “will never be able to take that leap of faith that they can trust doing business with hackers who haven’t gone through some screening process.” Kaplan said as more success stories reveal the efficacy of private bounty programs, “more conservative organizations will adopt these measures.”
There have been a lot of security successes in both public and invitation-only bounty programs. The successes run the gamut from finding criminals gaining access to files or transferring money from accounts to a variety of other serious issues that have gone undetected for months.
The Bugcrowd report noted that 67.7 percent of the vulnerabilities detected in public and invitation-only programs included, among other flaws, information leakage, password recovery, lack of security headers, and authentication issues. The top six vulnerabilities that make up the remaining 32.3 percent of issues include XSS, CSRF, Clickjack, Mobile_Device, SQLI, and Mobile_Net.
Bounty programs join together those who are capable of finding these and other vulnerabilities with those enterprises who need to protect themselves against criminals with malicious intent. Perhaps a different way of looking at bug bounty programs is to move beyond the connotations associated with the word ‘hacker’.