Bug Bounty Programs: What Every Organization Needs to Know
More and more companies are paying up – and paying more – to so-called “ethical” hackers who report data security bugs or vulnerabilities for a bounty.
A report released last week by Bugcrowd, a crowdsourced cybersecurity firm, says that companies are now dolling out more than ever in bug bounties. But what are bug bounty programs, and why should companies care?
Many tech companies and software developers have “bug bounty” programs, in which they offer incentives in the form of recognition and cash to security researchers who find shortcomings in their cybersecurity programs. These programs encourage developers to discover and resolve security vulnerabilities before they are exploited, preventing widespread abuse. And companies know that paying security researchers who find vulnerabilities upfront is a small price to pay rather than cleaning up the mess after a data breach.
While the likes of Google and Facebook have implemented bug bounty initiatives, so have the U.S. Department of Defense and the Air Force. According to the Bugcrowd report, the trend is predicted to rise with tech, IT and financial services, and e-commerce companies leading the charge and traditional industries, such as healthcare and retail, also jumping on the bug bounty bandwagon.
Bug bounty programs have been a staple in Silicon Valley for years. It wasn’t until last year when Uber disclosed that it had paid hackers $100,000 to delete data obtained in a data breach several years earlier – in which personal information for 57 million customers and drivers was exposed – that the programs came under scrutiny.
To be sure, bug bounty programs have the potential to improve cybersecurity, but they also invite serious security compromises. According to the Department of Justice Cybersecurity Unit, companies adopting bug bounty programs should have clear protocols and boundaries to ensure the safety of security information. The DOJ guidance urges organizations adopting a bug bounty program to follow four key steps:
- First, be clear in determining what data is subject to the program and what methods are authorized to detect vulnerability. If an organization includes systems that host sensitive information in its program, it should determine whether to impose restrictions on access and use of such information.
- Second, plan for the administration of the program by defining the reporting procedures, identifying personnel who will handle disclosure reports, and adopting a game plan for dealing with good faith versus malicious violations of the program protocols.
- Third, prepare a vulnerability disclosure policy that accurately captures the purpose of the program and makes clear the consequences for violations of the programs rules. Program participants should be encouraged to seek clarification before engaging in conduct that may be inconsistent with or unaddressed by the policy.
- Fourth, implement the program by making the policies easily accessible and encourage security researchers to comply with the policies.
Notably, the DOJ recommends formalizing the bug bounty policies to limit unauthorized vulnerability disclosures and “substantially reduc[e]” the risk that bug bounty programs will violate federal and state anti-hacking laws.
The DOJ guidelines do, indeed, provide a useful framework but they raise a series of significant issues that remain unanswered. In particular, what steps must a company take when a bug bounty researcher uncovers sensitive information? Is that discovery subject to state and federal data breach reporting requirements?
We’ll take a deeper dive into these issues in a future blog post.