What is a Bug Bounty Program? And Why Your Organization Needs One

At one time, most cyber security professionals viewed hackers as the arch enemy and when they struck, were to be neutralized immediately.

But today, many cyber security pros are harnessing this enigmatic hive mind for their company’s benefit. It may sound a bit crazy at first, but what if you could put this high-level hacking prowess to work to help protect your organization and improve your cyber security?

You can- with a Bug Bounty Program.

In this two-part blog series, we’ll explain what a Bug Bounty Program is, why every organization needs one, and how to create and/or find a partner who offers the best program.

Around the world there are more than 600k bug bounty hackers, known professionally as “researchers” or “finders,” who hunt software bugs—flaws in application code, enterprise systems, website vulnerabilities. and more.

When they discover one, researchers report it to the company who owns the software in exchange for a bounty—a fee paid by the company for pointing out the flaw. This theoretically gives the company an opportunity to fix the bug before bad actors can exploit it. For some researchers, bug bounty hunting is a full-time job, leveraging their skills and expertise to complement companies’ cyber security program.

While it might seem risky or suspect to those who are unfamiliar with the process, both official and unofficial codes of conduct and community norms have emerged to instill trust, guide researchers’ ethical compass, and keep the emerging industry on the up-and-up. While some companies might fear being extorted or blackmailed by a researcher who refuses to provide details of the vulnerability (or worse, posts it on a public forum), researchers know their career would be over—such antics would mean no hope of ever claiming a bounty again.

The business value of bug bounty

In fact, bug bounty hunting has become a valuable service industry. As the number of cybersecurity incidents grows exponentially, bug bounty helps to reduce companies’ risk by finding and addressing vulnerabilities before they’re exploited. Not to mention, a lot of government regulations are now requiring this particular type of vulnerability testing.

By some estimates, bug bounty researchers have already identified over 150K valid vulnerabilities worldwide for which companies have paid over $80M in bounties. That might sound like a lot, but at an average of just over $533 a piece (though some critical findings run as high as $15,000), that’s a tremendous savings compared to the average $4.35M cost of a breach, not to mention the reputation damage incurred if those vulnerabilities had been found and exploited by bad actors.

Bug Bounty can’t be bedlam

While bug bounty hunting can be extremely worthwhile for companies, it’s often handled very ad hoc; most organizations don’t have a formal process for receiving, handling, and resolving these reports. That’s where the trouble can begin.

For companies without a bug bounty program, researchers typically contact the IT or cyber security team through an email alias they find online. They’ll alert them to the bug and name their price for the bounty in exchange for providing details the company can use to remediate.

In an ideal world, someone at the company actually reads that email and it kicks off a negotiation: the company might counter with a lower monetary offer, and so forth, until they reach a deal with the researcher.

Without a formal process, those emails often get lost in spam, ignored or disregarded. The bug hunters might try sending the message to the CTO, compliance team, or even the CEO in an effort to get the company’s attention and alert them to the vulnerability.

If they don’t get a response—or get an unsatisfactory one—some researchers might then threaten to publish the information to a hacker community. It’s a scheme to both extract payment, but also to punish the company for its lack of sophistication in not having a bug bounty protocol in place.