Many people are familiar with bug bounty programs. They are designed to test the security of a company’s computer systems by crowdsourcing talent from all around the world to report bugs, especially those with critical vulnerabilities. In a way, bug bounty programs make the services and software we use much safer, but that’s just on the surface. While the rewards may seem generous ranging from $5,000 for “severe” bugs to $100,000 for discovering an operating system vulnerability, bug bounty programs have their cons as well. Here are some reasons why:
They indiscriminately attract the attention of both blackhat and whitehat hackers.
When a company sets up a bug bounty program, people from all sorts of backgrounds, be it whitehat or blackhat hackers, are free to probe the company’s systems for vulnerabilities. This doesn’t necessarily guarantee a good outcome as malicious blackhat hackers are already on the hunt for vulnerable systems, and the announcement of a bug bounty program may draw them to a previously unknown target. In worst-case scenarios, these blackhat hackers may try to probe beyond predetermined testing perimeters and potentially compromise a secondary system. Therefore, attracting both kind of hackers makes it difficult for companies to know their true intentions, which can be dangerous.
They reward “bad” behavior.
Though companies like Google, Facebook, Microsoft, and PayPal are currently running bug bounty programs, not all big enterprises believe in the power of bug bounty programs. In fact, some may have the opinion that implementing such a program is rewarding bad behavior, essentially making these “bug bounty hunters” withhold their knowledge of a vulnerability to themselves until the company pays up. There is also the fact that these hunters might not always have the best intentions in mind, as they might publicize the vulnerabilities for fame or attempt to sell knowledge of them on the black market—using the fact that the rewards are publicized as a bargaining chip to obtain higher bids.
They are only cost-effective for software vendors, not the bug finders.
For large enterprises, bug bounty programs can prove to be extremely useful since software vulnerabilities and bugs are reported before malicious agents can fully exploit them. This gives software vendors some time to patch up the bugs before it releases the next version. Furthermore, considering that bug bounty programs only pay out when there are results, in the long term they present an efficient and cost-effective way for companies to track and manage exploits. However, for those working long hours trying to find a vulnerability, the payout might not be enough to keep them motivated.
Compared to traditional penetration tests, which are typically carried out by a small number of people, bug bounty programs broaden the scope of talent leveraged and encourage a company’s own customers and the general public to report vulnerabilities and bugs. If the vulnerabilities are validated and remediated, at end of the day these fixed vulnerabilities benefit us all. However, simply having a bug bounty program is not enough to improve a company’s security, and they come with downsides. Therefore, it’s important for companies to evaluate the pros and cons before implementing any sort of program.