Bug Bounty Programs…are they for you?
With the influx of cyber fraud, data hacking and data breaches, organisations need to be more vigilant than ever when it comes to protecting customer data. The recent implementation of the General Data Protection Regulation (GDPR) shows that organisations need to do more to tighten their holes of vulnerability, otherwise fines will be imposed. Cyber security and keeping data safe, needs to be a priority and as a result it has prompted some organisations to introduce the next big thing – Bug Bounty Programs.
What is the Bounty Program?
If you are responsible for data or/and cyber security then you should know about the Bounty Program, if not, read on and see if the Bounty Program is for you.
Organisations, whether website or app base run a programme offering software security researchers a cash reward to test their software and highlight potential areas of weaknesses, vulnerabilities and/ or bug reports.
Bug Bounty Programs are not new, in fact Hunter & Ready back in 1983 was the first recorded bug bounty reward where they offered a Volkswagen Bug in exchange for a discovery of a bug in its VRTX real time operating system.
These types of incentivised programs see no chance in slowing down. Technologies connecting people thousands of miles away at just a few taps of a keyboard, the introduction of terms such as; Millennials, Generation X and Generation Z and their familiarity with communications, media, and digital technologies sees the demand for skilled IT security researchers on the rise.
Where can I find Bounty lists?
Bug bounty lists can be found on the internet where organisations advertise monetary rewards to test their systems, detect bugs, security flaws etc.
Example of listings for Bug Bounty adverts:
Is it worth introducing Bounty Programs into your organisations?
Organisations outside of the technology field are also employing these programs. Global giants such as Facebook, Google and Deutsche Bank have all introduced the bounty programs at one time or another. So, is it worth it? Do the risks outweigh the rewards?
Areas to consider
Researchers reporting bugs may not be in line with your strategy
– Numerous researchers submitting the same bug all at the same time, who do you reward?
– The compatibility with your systems and those of the security researcher.
Bug Bounty Programs require a substantial financial backing
– You not only need to have the financial reward for the researcher, but you also need to have the right human resources internal infrastructure to support the program, ensuring the bounty reward contract is water-tight?
– Do you have the internal staff to administer the program; analyse and authorise the submissions, plus the implementation of the new code changes needed to function bug free?
How do you handle illegitimate researchers in your system?
– Some researchers may go beyond the required / permitted system test area. Inexperienced researchers may do more harm than good to your systems.
Documentation for the reward
– Make sure you have watertight rules and guidance for researchers (make sure it’s not pages and pages…it will not be read), to make the payment reward.
The future of Bug Bounty Programs
The popularity of Bug Bounty programs will not disappear overnight, but a word (or a few words) of caution. Bounty programs should not replace internal continuous bug monitoring, you should have internal support already in place.
Like any solution introduced to have a positive impact for the industry, there are always those that can make it quite the opposite. There are unfortunately hackers that see the implementation of regulations such as GDPR as a big pay day because now this makes personal data a lot more valuable for resale and in worst case scenario ransom.
So, if you are considering implementing a bug bounty programme, words of advice would be to – do your research first and be 100% committed – otherwise it will be more hassle than its worth. Good luck happy bounty hunting!
Cavendish Professionals have a technology recruitment team that are always looking for experienced IT professionals. Our clients are based in both UK and Europe, so if you are looking for a new project get in touch with us. We cover roles within Cyber, ERP, Software development so if you are a C++ Engineer to Node.js developer or Core Blockchain solidity developer to DevOps engineer, we can assist you.
Alternatively, if you are a company looking for an experienced Ethereum Dapps fullstack developer, Backend developer, or iOS Android mobile developer to name a small selection of few roles we manage, get in touch to see how we can help you. Technology specialists is our business, see how we can support your business with your next internal or project hire.