CEB Blogs


Information Risk

Bug Bounties Have Gone Mainstream

The sheer number of firms that now create their own software, and the scrutiny applied to them if they lose confidential data, means they are doing all they can to stop advanced cyber attacks

As the trickle of companies incorporating digitalization into their corporate strategy turns into a flood, information security professionals are warning anyone who’ll listen about the vast array of products and services that may contain critical vulnerabilities in their software.

Anything from web-enabled home appliances to online retail platforms pose a threat to the companies that create and operate them, and the consumers who use them. And the revelations of the CIA’s secret arsenal of cyber weapons, and the “WannaCry” ransomware attack that followed, confirmed fears that vulnerabilities, and concerted attempts to exploit them, are even more likely than most suspected.

On top of that, the market is clearly happy to punish organizations that fail to protect their customers from fraud, theft, and surveillance. So companies and management teams need to find new and innovative ways to eliminate defects without harming their firm’s digitalization efforts.

Bounties to Stop Customer Mutiny

One way that companies are trying to keep customers and shareholders happy and deal with more – and more sophisticated – attacks is to use “bug bounty” programs. By offering monetary rewards to anyone who can find and report a vulnerability in their code, organizations can encourage hackers to do the right thing while improving product security at the same time, and all at relatively low cost.

As the chief security officer at a technology firm in CEB’s networks explained recently, “We have 40 engineers on staff whose sole job is to break software. But opening up your code to the research community provides you with a very different, very rigorous kind of test. In that sense, bug bounties are something organizations should consider.”

In the past, few firms other than tech giants such as Facebook and Google offered bug bounties. But with such a diverse range of companies now in the business of writing software, the number of bug bounty programs popping up across industries such as banking and finance, transportation, healthcare, and consumer goods has more than tripled since 2013. Bug bounties are now mainstream  (see table 1 for more).

Table 1: Examples of companies that run bug bounty programs  Source: CEB analysis

By Invitation

Naturally, most companies are reluctant to let just anyone comb through their code. This is why private, invitation-only programs have received considerable traction among the world’s biggest firms. Private programs allow companies to manage the risk of unauthorized disclosure by controlling who is eligible to participate and which products and services are in-bounds.

Similarly, the rise of third-party bug bounty platforms such as Bugcrowd and HackerOne have helped to professionalize bug hunting and remove some of the stigma associated with hacking. As the market matures, chief information security officers may even turn to private bug bounty programs as a more cost-effective alternative to conventional penetration testing.

Make no mistake, bug bounties are no substitute for developing secure software from the outset. But until organizations can commit to investing the time and energy necessary to embed better security in their software development lifecycle and product supply chains, well-managed bug bounty programs might be just what they need to help bridge the gap.


More On…

  • Information Risk Management

    The rising importance of information risk has dramatically changed the opportunities for CISOs. Information Security budget and headcount have increased more than 200% in the past four years. Learn how to make the most of all those resources.

Leave a Reply



Recommended For You

Information Risk: 3 Threat Management Trends to Keep an Eye On

The threat of criminals stealing data from a company is now far harder to manage...