What is Bug Bounty?

In our first post, we’ve made a brief introduction into HackenProof and explained why Bug Bounty is the cutting edge of cybersecurity services. The short argument is that Bug Bounty Platforms have access to a much greater talent base than traditional cybersecurity companies. In this post, we’d like to dig a bit deeper into what that means and explain to you how Bug Bounty actually works.

From Wikipedia:

“Bug Bounty is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities.”

There are two approaches to managing Bug Bounties: some companies choose to self-host their programs, and some use services of a Bug Bounty Platform to launch and coordinate them. The best way to give you an idea on how a Bug Bounty Platform works is to give an example.

Let’s say we have a Company SoftwareCo that wants to check its software for security vulnerabilities. We will illustrate two scenarios – one in which SoftwareCo hires a traditional cybersecurity company and another in which SoftwareCo works with a Bug Bounty Platform.

Scenario 1 – Traditional cyber security company:

1. SoftwareCo hires a security consulting firm ProtectCo to test their software. ProtectCo is a typical consulting service provider with a few dozen employees.
2. ProtectCo will assign a few of its cybersecurity experts that will be testing SowtwareCo’s software for 2-4 weeks.
3. After the assessment, ProtectCo will provide a report where it will describe all vulnerabilities that ProtectCo’s employees have found during the assessment and will hand it over to SoftwareCo.
4. Head of IT at SoftwareCo will be responsible for fixing the bugs.

That’s the standard process that most companies go through when conducting a security assessment of their digital assets.
Now, let’s take a look at Scenario 2, where SoftwareCo chooses a Bug Bounty Platform (BBP):

1. At first, BBP will help SoftwareCo create a Bug Bounty Program Policy – a document that describes in detail what resources are within scope/out of scope, what is the reporting procedure, what are the rewards for various vulnerabilities and other rules.
2. Once that’s done – BBP will make an announcement to hundreds of its researchers that a Bug Bounty Program for SoftwareCo is live, with a Call to Action to take part in it.
3. Dozens of security researchers will be testing SoftwareСo’s digital assets for months (or even years).
4. All vulnerabilities are being reported via the platform. BBP’s triage team validates each report.
5. SoftwareCo can monitor their program activity 24/7 and gets live updates on found vulnerabilities and money spent.

As you can see – in the second scenario lots and lots of researchers with various backgrounds will test SoftwareCo’s digital assets for a prolonged period of time, greatly reducing the chance that a bug will “slip by”. Traditional security consulting companies simply can’t compete with talent-base that is available to Bug Bounty Platforms.

Many companies have a mindset of building an “impenetrable wall” around their digital assets that will save them. The reality, however, is different. No matter how great the wall is – sooner or later hackers will find a weak spot in it and exploit it.

Technology is evolving all the time and your defense has to keep up the pace. The right mindset if you don’t want to be hacked – is to CONSTANTLY keep testing your “wall”, find vulnerabilities and fix them, before black hat hackers can exploit them.

Bug Bounty is a convenient and efficient way for companies to continuously test security of their digital assets.

If you would like to get a consultation on bug bounty programs, you can schedule a Demo with HackenProof team here.