Bug Bounty on the Rise: Is there an Imminent Need?

Sandip Kumar Panda, CEO &Co-founder, InstaSafe A leading Cloud based Security-as-a-Service solution provider that delivers comprehensive and uncompromising protection to mobile and remote workers enabling them to safely and securely access enterprise apps, email and web from anywhere on any network

1,051,200 cyber attacks per year. There is a hacker attack every 39 seconds,affecting one in three Americans each year. Cyber crime damages will cost the world $6 trillion annually by 2021

Cybercrime alerts have always been on the rise in this world of digitization and with all your information available through your applications/ websites it has become very easy for hackers with malicious intent to penetrate through your unsecured application. Well, it is not just big brands that the hackers target but as per analysis in Symantec’s 2016 Internet Security Threat

" With proper usage of the platform and setting up apt vulnerability disclosure policy, the time is not far when such platforms will be the sole base of penetration testing"

Report, it has been seen that 43 percent of cyber attacks target small businesses. As Cisco ex-Chairman John Chambers once commented “There are two types of company, those who have been hacked and those who don’t know they have been hacked.”

Earlier, organizations were always reactive in their approach to cybersecurity. But in today's world, with big names like Uber, Google and Facebook running their own bug-bounty platforms, the situation in the enterprise arena has changed. Well, Bug-bounty platform is a pretty new concept in our country. A bug bounty platform or Vulnerability Rewards program (VRP)is a crowd source initiative which rewards security researchers for discovering and reporting software bugs. This program aims to supplement your existing internal code audits and penetration testing as part of the organization’s vulnerability management strategy. It basically acts as an additional part of the inbuilt penetration testing systems of organisations but in an innovative manner providing an opportunity to engage with a worldwide community of diverse ethical talent pool who wants to help an organization
to build a secure application in return for rewards and recognition.

Bug bounty programs are suitable for organizations of all sizes mainly for the following reasons:
1. Securing their Application: Research says 80% of all web applications and mobile applications contains security loopholes[Reference] Most organizations don’t realize this and they get vulnerable to cyberattacks. Cyberattacks leads to loss in reputation, brand equity, business continuity, loss of revenue, and customer trust. Every organization should strive to avoid critical bugs in their application.

2. Not having enough resources to manage bug bounty program:
Most of the organizations do not have enough security researchers to have their applications tested against critical vulnerabilities. Bug bounty platforms provides access to talents, offers services like bug triaging, bug report validation, managing bounty setting and payments. A bounty program takes the stress and hassle away so that organizations can concentrate on their core strengths.

3. Building a culture of security consciousness: A managed bug bounty program provides access to a community, where industry experts, security researchers, and technical vendors share their knowledge on enhancing security and become cyber resilient.

The best part of this kind of programs is its concept of gamification which creates a competitive environment for various security researchers in a single platform allowing them to conduct offensive security testing on applications simultaneously for reward and recognitions.

Gone are the times when the best reward a security researcher received was a one-line acknowledgement in a security advisory or some goodies. Today, companies like Uber, Google, and Facebook are paying out bounties in the range of $ 1.4 million to $3million dollars. But with this range of bounties being offered the most important thing to be taken care of are th

engagement policies of these diversified and talented security researchers. A vulnerability disclosure policy is what guards the entire concept of bug-bounty platform. Uber’s policy says, “You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests or trying to shake us down. In other words, if you find vulnerability, report it to us with no conditions attached.”

With proper usage of the platform and setting up apt vulnerability disclosure policy, the time is not far when such platforms will be the sole base of penetration testing because of its unique advantage like a highly diversified crowd of security researchers around the world which is very rare to find in any organisation solely strengthening the concept of competition among industry sectors.