Are Bug Bounty Programs Worth It?
Almost weekly, it seems there is another news article about a bug bounty program sponsored by a major corporation where an amateur hacker – often a teenager – is paid a sizeable sum of money for finding a bug in a company’s operating system or code. Often, these articles describe just how much money these teens make from bug bounty programs; one headline from March 12, 2019 states how bug bounty programs have made “one teen a millionaire hacker.” In another from February 2019, Apple paid a 14-year-old hacker an undisclosed sum after he found a security flaw in FaceTime.
In reality, bug bounty programs don’t always result in Robin Hood-like successes touted by the news media. Bug bounty programs – with their pros and cons – are mostly used by big technology companies and are intended to incentivize “ethical” or “white hat” hackers to find security bugs or vulnerabilities before the public becomes aware of them. The hacker then reports the bug to the company for a payout or “bounty.”
And it’s not just big tech that is sponsoring bug bounty programs. The U.S. Department of Defense sponsors its own ‘Hack the Pentagon’ bug bounty program to identify security vulnerabilities across certain Defense Department websites.
Only a fraction of the vulnerabilities or bugs identified concerning Google, Facebook, and GitHub (which just expanded its bug bounty program in February and eliminated its maximum award limit, are even eligible for payment. For example, a bug that a hacker finds might be blamed on a third-party vendor, and not the company itself, so in those cases, companies will often refuse to pay a bounty.
Additionally, even though bug bounty programs and hosts pride themselves on their “crowd-sourcing method” by harnessing the power of huge groups of hackers, they often rely on a small group who account for the majority of the bugs found and money made. Even those who are finding the most bugs and making the most money hardly make millions – according to the blog Trail of Bits, citing research from a book soon to be published by MIT Press – those hackers are making $16,000-$35,000 a year maximum, even though they find on average 30-40 bugs a year.
Yet, there are exceptions. At least according to one news account, a 19-year-old “self-taught hacker” from Argentina” has been at it since 2015, and during that time, has pocketed $1 million. He has purportedly uncovered more than 1,600 security flaws.
Companies that sponsor bug bounty programs face competition for bug discoveries from firms like Zerodium, an “exploit acquisition program,” which buys “zero days” from hackers. A “zero day” is a kind of bug that is discovered after a product’s release that can be exploited by those who discover it. Hackers disenchanted with bug bounty pay outs may turn to companies like Zerodium, which may further exploit the vulnerability, rather than disclosing it to the company with the weakness. Zerodium buys the zero day research from the hackers who discover it, and then sell that information to what they describe as “mainly government organizations in need of specific and tailored cybersecurity capabilities and/or protective solutions to defend against zero day attacks.”
Recently, when a hacker found a vulnerability in Apple’s macOS, for which there is not a bug bounty program – there is one for iOS – he sent along the details of the bug to Apple even though they did not pay him. The hacker, Linus Henze, sent the patch to Apple because he believed it was necessary to protect Mac users. Apple may not be so lucky in the future, especially when Zerodium offers bounties of up to $2,000,000. Zerodium focuses on “high-risk vulnerabilities” from different kinds of platforms including web browsers, smart phones, and e-mail servers.
An alternative to a formal bug bounty program is hiring an outside forensics firm specifically tasked with looking for bugs or cyber vulnerabilities in the company’s IT environment. Unlike bug bounty programs, which thrive on massive numbers of anonymous users, many of whom want to find as many bugs as possible as opposed to the bugs or zero days that present actual security threats, a consultant can do a thorough and fully disclosed audit of the program or software.
Of course, different companies have different needs, and it may be that certain platforms could benefit from both a bug bounty program and a forensic consultant. As with many data security issues facing a company, there’s not often a right or wrong answer but only a well-reasoned conclusion, often based on fast-moving technology. Even though bug bounty programs have the benefit of using the tech community at large to help strengthen web-based products, companies should consider all the available resources before deciding on the right pathway.