In our recently released guide, 7 Bug Bounty Myths, Busted, we addressed some common misconceptions about the bug bounty model and bug bounty programs. We're spending some time each week to take a deeper dive at those myths one by one. Last week we talked about the misconception that bug bounties are all public, and are open to everyone. Today, we're addressing a related misconception regarding the types of companies engaging with the bug bounty model.
Myth #2: Only tech companies run bug bounty programs
History of Bug Bounty Programs
It is true that many early bug bounty programs such as Google’s VRP, the Facebook Bug Bounty, Microsoft’s bug bounty program and more, are public. And yes, the first bug bounty launched by Netscape 21 years ago, and the several that followed after were open to everyone as well.
Today, however, the bug bounty space is very different. In the timeline below, you can see that all kinds of companies are running bug bounty programs.
With the help of companies such as ourselves, the model has gained traction in the past few years, evolving to meet the needs of more than just ‘crazy, Bay Area tech companies’ ready to invite the world to take a peek at their apps. As we discussed in our previous post in this series, private programs have played a huge part in that evolution. On-demand programs also offer organizations another way to utilize the crowd, and the ability to meet a whole other set of needs.
What companies run bug bounty programs?
We recently reported in our 2016 State of Bug Bounty increased participation from non-Internet or technology companies, and signs that this trend will continue. Some of the top industries are Retail, Automotive, Financial Services and more. Read the report to learn more.
- Financial Services: The financial services sector is a clear target for attackers, and as these organizations get more complex, they've become increasingly difficult to defend. In our Financial Services Industry Report, you can learn more about why companies like Western Union and recently launched MasterCard are improving their product security.
- Automotive: In the past few years, more automakers are being forced to look to the crowd to increase their talent pool. Car hacking isn't a skill set that's easy to hire for. Thus, the crowd expands testing resources for companies like Fiat Chrysler Automotive and Tesla.
- Retail and E-Commerce: Many of our customers in the e-commerce and retail industry including luxury fashion retailer Lyst, travel search engine Skyscanner, and online retailer Jet.com, are seeing tremendous results compared to traditional security assessments. Digital loss prevention company Digital Safety is also utilizing the crowd in interesting ways.
- IT Security: Security organizations are 'practicing what they preach' by augmenting their existing appsec programs with the crowd. Okta has been running a successful private bug bounty for years, and others such as OWASP, LastPass, 1Password and Kenna Security are utilizing public bounty programs to encourage security research.
- Education: As education technology emerges, this sector is also beginning to improve security testing measures. Instructure, the organization behind Canvas Learning Management System, has always been committed to their product security and has done so with the crowd for years.
- Healthcare: Although adoption through this sector is just beginning, it's becoming clear how important application security are for these organizations. Zephyr Health, one of our customers, is on the forefront of innovative and improved security testing practices.
These are just a few sectors–in addition to the 'technology' companies that popularized this model–that are starting to make the most out of the crowdsourced economy. We look forward to supporting this trend.
Want to learn more about common misconceptions around bug bounty programs? Download our asset, and subscribe to our blog at right to get more in-depth commentary on the seven bug bounty myths in the coming weeks.