Throughout this year, bug bounties have hit an all time high in the news, and are well on their way to becoming non-negotiable parts of mature security organizations. Because of that buzz and the positive traction the bug bounty space is seeing, it’s easy for us to forget that this is still a new and novel approach to security that not everyone fully understands. That’s why we’ve put our ears to the ground to pick up on some commonly held misconceptions about how they work, why they work, and for whom they’re ideal.
To shed some light on the reality and nuance of this growing and evolving economy, we’ve picked out seven of these top ‘myths’ to address and debunk. In the upcoming weeks, we’ll dissect these myths one by one, which you can also read more about in our summary guide; 7 Bug Bounty Myths, Busted.
To kick things off this week, we’re talking about the number one most common misconception we hear in passing–on tradeshow floors, from fellow developers, and even within the growing security researcher community.
Myth #1: All bug bounties are ‘public,’ inviting the whole world to hack your applications
All too often we hear ‘My application can’t stand up to that volume of testing’ or ‘We can’t risk external researchers coming into contact with our customer data’ or ‘I need to know who is testing my applications.’ Although public programs are great solutions for many organizations and we believe that all organizations should strive to have some form of public vulnerability disclosure channel eventually, those concerns are valid. Enter private bug bounty programs.
Evolution of Bug Bounties from Public to Private
It is true that many bug bounty programs, especially programs that have gained attention in the past five years such as Google’s VRP, the Facebook Bug Bounty, Microsoft’s bug bounty program and more, are public. And yes, the first bug bounty launched by Netscape 21 years ago, and the several that followed directly after were open to everyone contests.
In late 2013, we introduced the idea of a ‘private’ bug bounty, which allocates a subset of the crowd to engage in a more focused testing environment. In the past several years, this evolution of the public bug bounty program has facilitated an even more widespread adoption of the model across industries. Today, the majority of bug bounty programs are invite-only programs, as you can read more about in our 2016 State of Bug Bounty Report.
Value of Private Bug Bounties
Private programs offer organizations the opportunity to utilize the power of the crowd–volume of testers, diversity of skill and perspective and competitive environment–in a more controlled environment. Organizations often time run private programs for a few of the following reasons:
- Welcome testing to a smaller, curated crowd of testers who must be invited to join
- Facilitate testing on harder to access applications such as applications that require unique credentials, or devices that must be distributed
- Focus testing on a small subset of an attack surface to meet organizational testing needs
Additionally, organizations looking to improve upon penetration tests while fulfilling quarterly testing needs or compliance requirements are starting to run on-demand bounty programs. Our On-Demand Programs utilize invitation-only researcher for a time-boxed testing period, similar to a pen test, but harness the crowdsourced model of paying only for valid results rather than for effort or time.
Private Program Participate
Anyone can sign up to become a Bugcrowd researcher to participate in public bug bounty programs. As bug hunters submit bugs to public programs, climb the ranks within the community, they have the opportunity to gain access to private programs.
Bugcrowd researchers are vetted and measured in four areas:
- Activity: We encourage our researchers to stay active within the community. Researchers who have been active within the past 90 days receive more invitations to private programs.
- Quality: Researchers must submit valid findings, staying in scope and adhering to brief guidelines. More than 50% of their submissions must be 'accepted' by organizations, which encourages quality submissions.
- Impact: High-value findings are also important. To receive invitations to private programs, researchers must have an overall average priority rating better than 4.0.
- Trust: Perhaps the most important measurement, researchers must consistently adhere to our community Code of Conduct, Standard Disclosure Terms, as well as adhere to individual program disclosure policies. Professionalism and respectfulness are important, and researchers must exhibit consistent both of those values in communicating with both Bugcrowd staff and program owners.
Only the top performers who have proven their skill and trustworthiness receive invitations to private programs.
Which companies run private programs?
By default, public programs receive more organic press and marketing exposure, garnering attention from a larger pool of testers. Private programs benefit from being discreet and frequently go on without any external recognition. That having been said, you can learn more about some experiences from a few of our customers who ran or are currently running private bounty programs.
These are just a few of our private customers that have shared their experiences working with a private crowd. It is also important to note that many of our customers running public bug bounty programs today may have started out private such as Western Union, Twilio, LastPass and more.
Want to learn more about common misconceptions around bug bounty programs? Download our asset, and subscribe to our blog at right to get more in-depth commentary on the seven bug bounty myths in the coming weeks.