Can bug bounty programs replace dedicated security testing?
A “bug bounty program” might sound like something out of the Wild West, but it’s actually an emerging way for companies to incentivize security researchers to find flaws in their technology. Essentially, the company offers a monetary reward in exchange for bugs reported.
In contrast to hiring a dedicated company for security testing, bug bounty programs encourage individual researchers to come to you. It’s crowdsourcing security in the same way we might crowdsource fundraising; but is a bug bounty program effective enough to replace dedicated security testing?
Download Ted's free ebook, "How to secure your software faster and better."
If your goal is to find and fix security vulnerabilities in order to improve the overall security of a software system, you can’t rely on bug bounty programs alone. However, there are ways to tack a bug bounty program onto your larger security testing program.
The upside of bug bounty programs
I won’t beat around the bush: bug bounty programs don’t replace the need for a security consulting company that you work directly with for your security testing program.
However, when combined with your dedicated security partner, bug bounty programs do deliver some powerful benefits:
- You get a great marketing tool by being able to publicly demonstrate an element of your security approach.
- You get instant return on investment (ROI) because you only pay when valid vulnerabilities are reported.
- You can work with researchers anywhere, avoiding border restrictions or visa requirements.
- And, in theory, you get testing done by lots of researchers and get more eyes on your system.
Bounty programs have drawbacks, though
While bug bounty programs offer some unique benefits and are a great complement to more robust security testing, their drawbacks keep them from being a stand-alone solution. These drawbacks include the following:
- Bug bounty programs don’t guarantee that enough people will actually look at your system.
- They don’t guarantee that researchers with high levels of skill will participate. Results are commonly of low quality.
- These programs are usually operated without divulging much information about your system to researchers, meaning they’ll be starting from scratch, which diminishes efficiency.
- You miss out on knowledge transfer because there is only minimal collaboration with the researcher, and as a result, you’re likely to keep paying over and over for the same symptom without addressing the root cause.
Furthermore, these programs tend to be unappealing to some of the more talented security researchers. Payments are small. Valid submissions are commonly refused payment. The work is done entirely at risk without any guarantee of finding issues or making any money.
Don’t forget that bug bounty programs are designed to attract people who want to make money from your vulnerabilities. If their ethics are squishy, your vulnerability could make them a lot more money on the black market. For example, in 2020, a vulnerability in the Zoom video conferencing platform was on sale for $500,000.
For these reasons, you’ll want to reject the hype: bug bounty programs can’t solve your security testing needs all by themselves.
Bug bounty programs aren’t a security replacement
So how can bug bounty programs fit into your overall testing strategy?
Here’s one way to think about it: When something ails you, you go to your doctor. You work directly with your doctor and their medical staff, you tell them your symptoms, and they ask lots of questions. They diagnose your issues, give you a treatment plan, and you get better.
That’s what it’s like to engage directly with a security firm doing vulnerability assessments. By contrast, a bug bounty program would be like posting your symptoms on the internet and asking for advice. In theory, you’d get advice from people all over the world for a very low cost (or even free). You’d get some good advice (and a lot of bad advice). And you’d have difficulty vetting the qualifications of the people who give you that advice.
You’d never rely on the internet alone to guide your medical treatment. You’d work directly with your doctor, and maybe also post to the internet. Your security approach should be the same.
How a bug bounty program fits into your testing process
Vulnerability assessments are the best way to find vulnerabilities, fix them and prove your app is secure. If you want to add one, a Bug bounty program can add a nice public marketing benefit, and theoretically extend the reach of your testing process.
If you need to prioritize, I recommend you start with a series of ongoing vulnerability assessments first, and then later add a bug bounty program if it makes sense for you. In other words, start with a core, proven security approach and complement it from there.