Vetting researchers builds trust in bounty programs

Kacy Zurkus

Sean Curran, director in West Monroe Partners’ Technology Infrastructure and Operations practice, said,“Bug bounties have also led to the development of automation tools and bug identification techniques that can be used to assist with quickly identifying poor coding practices or potential vulnerabilities.”

The greatest challenge with security is that very little can be categorized. Curran said, “As we continue to see an increase in the Internet of Thing market, which includes extending connectivity to devices that were traditionally never designed to be publicly accessible, we will continue to see products that lack the security controls and security maturity of traditional software products.”

These evolutions in technology open more doors for vulnerabilities to go undetected. “There is no one flaw or flaw type that is missed. Each product presents a unique solution solving a unique problem. The vulnerabilities in Java differ widely from those in Internet Explorer,” said Curran.

It is this uniqueness that results in the challenges with identifying and resolving every bug possible, Curran noted. “If it were that simple, we wouldn’t see the vulnerabilities we do today because someone would automate a solution,” he continued.

“The US DoD and DARPA run annual challenges that could be construed as bug bounties. They have recognized that the power of many minds looking at problems through different lenses and with different experiences can result in innovative approaches to solving a problem,” Curran said.

Previous Page  1  2  3