News / The problem with bug bounty programs is that they are quite buggy

So called bug bounty programs have become popular in recent years with many tech giants paying hackers – in some cases quite well – to find previously unknown vulnerabilities in their software and applications.

Google, Facebook, Microsoft and others are increasingly willing to reward those who can find vulnerabilities before criminal hackers do. It’s not a new idea and it is motivated by competitive advantage as much as altruistic concerns.

Netscape was doing it way back in the 1990’s to help clear its then class-leading web browser of bugs. It was less successful in squashing Microsoft’s rival Internet Explorer, but that’s another story.

The difference is that today there are many more hackers around and our business enterprises and way of life are both inexorably bound up with the internet and connected software. Vulnerabilities in software can have huge consequences for businesses and individuals.

The practice is not without controversy however. It is based on trust – which, let’s be honest, is never a great thing when dealing with hackers. Even those who claim to be white hackers, i.e those who genuinely hack for the good of the wider community (and envelopes of dollars from the internet giants) are an unknown quantity.

This might sound harsh, but no-one does this without the attraction of cash and perhaps some personal satisfaction at finding vulnerabilities before anyone else. Hackers tend to be competitive individuals.

Because wrapped up in this process is the whole messy and murky world of hacking and the criminal underground. Joining those possible virtuous white hackers will be the grey hackers (entirely dubious) and black hackers (entirely felonious). It’s very hard to quantify who’s working for who, what and why in this process. Actually, it’s impossible.

At the same time as finding vulnerabilities in software, there is a danger that those on bug bounty programs will keep some, more juicy vulnerabilities to themselves which can then be sold to the criminal hacking groups – for more than they get from the software companies. Some might join bug bounty programs and work entirely for criminals instead.

It’s true that even a flawed system can make software safer, and no code can ever be free from flaws as it is written by human beings, so any vulnerabilities exposed and fixed will prevent those being exploited.

Where does this leave the users of business software – in other words, you? Ultimately you are not worse off but you are not better off either.

It’s a process out of your control and a few more bugs ironed and patched from your daily applications is good.

Ultimately, it makes little difference to in house and outsourced security operations which will always be your first line of defence.

Unlike software giants, end users do not have cash to throw at would be bug bounty hunters to find the flaws in their systems – nor should they.

Reputable vulnerability and testing services providers that do not use freelance hacking “talent”, are available instead.

They deploy highly professional, business minded analysts that understand your business workflows and data management structures. From that they can discover your vulnerabilities and how best to protect data from the exploits that bug bounty programs fail to discover. On the whole it’s a lot less buggy all round.

  • PLUS
  • Certified Information Systems Security Professional
  • PCi
  • Information Security Management System - ISO Certified
  • Cisco Certified CCIE
  • Centre for Internet Security
  • TOGAF 9
  • HM Government G-Cloud Supplier
  • crest

Get in touch