Data Security Law Blog

Part II: Hidden Costs of Bug Bounty Programs

Many big data and technology companies consider “bug bounty” programs – incentive-based initiatives that reward “ethical” hackers who report data security bugs or vulnerabilities – attractive and cost-effective tools for weeding out security flaws.

Yet, bug bounty programs aren’t a silver bullet for keeping hackers at bay, but are only one potential aspect of a comprehensive organizational cybersecurity program. And bug bounty programs have hidden costs and traps for the unwary. Today, in Part II of our series, we take a closer look at the thornier questions confronting companies that adopt bug bounty programs. 

As we previously reported, “bug bounty” programs are on the rise, with more and more companies offering incentives to so-called “white hat” hackers who report data security bugs to them. According to one report, the average reward for identifying a security bug has risen to more than $2,000 on average. For many companies, this is a small price to pay to avoid a data incident that could ultimately cost many thousands of dollars, if not more.

But in some instances, the unforeseen consequences of setting up a bug bounty program can well exceed the immediate benefits.

The 2016 Uber data security incident, affecting more than 57 million drivers and riders, is a cautionary tale. As readers of this blog will recall from our reporting, hackers were able to exploit a vulnerability in Uber’s databases and files to access and download troves of consumer and driver data. Uber ultimately paid a $100,000 ransom payment to the hackers, which it initially said was part of its bug bounty program. While hard to quantify, the reputational harm and loss of good will associated with the Uber’s handling of the incident and the negative press likely far exceeded the ransom the hackers managed to extract. 

Public naming and shaming, however, was only the tip of the iceberg. Uber execs were later forced to admit in Senate testimony, “it was wrong not to disclose the breach earlier” to appropriate federal and local authorities. In the wake of revelations regarding its data breach, Uber faces lawsuits across the country and became the target of numerous law enforcement and regulatory investigations. Uber’s troubles stemmed, at least in part, from its continued reliance on the hackers’ own assurances that they had destroyed the pilfered data. Lawmakers and the public at large, however, were dubious of such uncorroborated claims. The long-term costs associated with such actions – including the potential for damage to the brand, stiff penalties as well as civil and even criminal liability – could likely prove considerable. 

The Uber experience underscores several of the risks associated with adopting a bug bounty program, including the need for a formalized process and requisite safeguards. Bug bounty programs may seem like a quick fix, but they should not distract from developing robust internal cybersecurity infrastructure including regular internal and external monitoring of an organization’s cyber defenses.

Companies considering a bug bounty program will need to consider a number of difficult questions: Should a third-party administer the program rather than the company doing so itself?  Is there a risk that the mere establishment of a bug bounty program will attract hackers looking to make a few bucks? Or, can the program be structured in such a way as to provide incentives to white hats to work with program sponsors in a meaningful way to discover vulnerabilities that would otherwise go unnoticed?

That is only the beginning of a much longer inquiry into the benefits and potential risks of putting such a program in place. As bug bounty programs become increasingly embedded across a variety of industries, especially technology, we will continue to monitor developments in this area.