[BreachExchange] The Bug Bounty Model: 21 Years & Counting

Audrey McNeil audrey at riskbasedsecurity.com
Fri Dec 30 13:51:52 EST 2016


http://www.darkreading.com/vulnerabilities---threats/the-
bug-bounty-model-21-years-and-counting/a/d-id/1327752

When Netscape launched the first bug bounty program 21 years ago, it
redefined the way companies approach system vulnerabilities. Today, there
is widespread adoption of crowdsourced security programs across mainstream
companies with more than 600 publicly disclosed programs and counting.

I’ve worked on a number of these bug bounty programs over the years, and
served as director of penetration testing for HP Fortify. The changes have
happened so fast, it’s easy to lose sight of how far we’ve come since the
very first program was introduced in 1995. As we approach the new year,
let’s take a look at the robust history that set the foundation for the
modern bug bounty program.

The First Bug Bounty
Netscape Technical Support Engineer Jarrett Ridlonghafer designed and
launched the first bug bounty program to discover vulnerabilities in
Netscape’s beta version Navigator 2.0 Internet Browser. The company offered
cash rewards to hackers who found bugs in the software.

Although this was a major advancement for the security industry, the model
wouldn’t catch on for another seven years. By 2002, IDefense launched its
own bug bounty program and in 2004, Mozilla created a program that is still
running today. These early programs paved the way for the modern bug bounty
and for the emergence of managed programs and bug bounties as a service.

Breaking the Mold
In 2010 and 2011, Google and Facebook took notice of crowdsourced security,
adding them to their business models, which increased their popularity and
incentivized more researchers to join the bug bounty community. In March
2011, Facebook paid a 22-year-old security researcher $15,000 for a bug
discovered. By 2015, Facebook had paid more than $4.3 million to
researchers globally.

Bug bounty programs were beginning to increase in popularity, yet many
organizations still perceived them to be too risky. This perception was
tied to the belief that a bug bounty gives hackers free reign of critical
code. But the reality is much more controlled than that, because, whether
you invite hackers in or not, as long as applications are connected to the
Web, they’re vulnerable. Tapping into the intelligence of thousands of
security researchers helps identify these vulnerabilities before the bad
guys do and lowers the risk of being vulnerable.

Bug Bounties as a Service
In recent years, the growing need for bug bounty programs and the
challenges and costs associated with managing them internally drove the
creation of third-party platforms or bug bounties as a service. This opened
new pathways for a growing hacker community and furthered adoption by other
market sectors such as healthcare, financial services, automotive, and the
Internet of Things.

For companies, third-party platforms offer the opportunity to create
personalized programs by connecting organizations with trusted partners and
a community of diverse security researchers. For researchers, the
third-party platform verifies their results, handles arbitration issues
with the company, and makes it easier for individuals to get paid and move
onto testing for more bugs. Third-party platforms also drive the creation
of a thriving community where researchers connect, educate, and inspire one
another in an environment that allows people with a variety of backgrounds
to share their knowledge and expertise.

The Future
Crowdsourced vulnerability assessment has evolved to include more than just
public programs. As I mentioned earlier, a common misconception about the
bug bounty model is that all programs are public. In reality, the majority
of all programs launched are invite-only. Private, ongoing, and on-demand
programs are incredibly common and give companies a way to facilitate
testing on harder-to-access applications, or focus testing on a small
subset of an attack surface to meet organizational testing needs.

Private programs allow organizations of all sizes (like Western Union,
Okta, and Aruba Networks) to validate the security work they’re doing
internally, and leverage a curated crowd of talent to scale up their team
and improve response time before going public.

Crowdsourced security programs have taken on many different forms and will
continue to play a major role in securing applications, especially as
companies face increased pressure to release updates and keep their
customers’ data secure. From the increase of vulnerabilities in healthcare
devices, IoT and the automotive industry, these programs can bring
advancements to industries across the board. With the willingness and
constant interest from intelligent engineers, bug bounty programs will
continue to thrive.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161230/ac5fcbed/attachment.html>


More information about the BreachExchange mailing list