Bug Bounty and Penetration Testing

1. Summary

Bug bounties and penetration testing (pen-testing) are powerful techniques that uncover flaws in controls, applications, and hardware. They enable enterprises to secure code prior to application launch or after the code is released and they help meet compliance requirements. At face value, hiring an ethical hacker and bypassing an application’s security in order to find and fix any weaknesses sounds straightforward; however, in this process enterprises often encounter complexities, nuances, and certain unintended consequences.

Bug bounties and penetration tests reveal vulnerabilities before they are exploited – minimizing the potential for embarrassment, loss of trust, and the costs associated with those. Failure to identify and disclose data breaches to customers places organizations in legal jeopardy. The reality is that, whether a vulnerability is known or unknown, it is only a matter of time until it is discovered and seized upon. The question to ask then is, “Do you want to know about vulnerabilities before or after your customers find out?”

To become more secure, all companies today must build internal muscle memory to cope with inherent code flaws to become more secure. This does not simply apply to engineers. A company must fund resources that include legal, communications, executive steering, customer service, and development. They must all be in lockstep if they are to develop the internal skills necessary to become more secure.

Fortunately, because of experienced hackers and hard-fought lessons learned, these disciplines have evolved. This is partly due in response to the underground bug market which revolves around hackers who find and sell exploits; at times for hundreds of thousands of dollars, depending on the severity of the bugs, the reliability with which they trigger, and the platforms they can affect. Some security vendors understood this early and based payment on the quality of vulnerabilities encouraging hackers to work harder to find them.

It cannot be understated that enterprises wishing to buy these services need to have a solid foundational understanding of the market and the subtle, but critical, differences between bug bounties and pen-testing, responsible disclosure as well as the different tools and platforms available. Launching bug bounties and penetration testing means opening your system and networks up to “hackers,” albeit ethical ones; you are trusting engineers to break controls to get to the crown jewels and then trust that they stop when they get there. To quote the Rolling Stones, “Just as every cop is a criminal and all the sinners saints.”

Key Findings:

• The space for bounties and penetration tests is quite mature and most of the top vendors offer platforms to assist with making the complicated workflow easier.
• Executive support for these programs is critical to their success.
• Responsible disclosure and bounty programs are key to addressing vulnerabilities before they become an internal emergency which could cause brand damage, loss of trust, and/or regulatory fines and negligence charges.
• Creating a responsible disclosure program can save your enterprise unneeded embarrassment. Regardless of whether or not you choose to launch a bounty program, vulnerabilities in your software or services may be discovered and announced, despite your organization’s intentions.
• The security of all of your software and services will vary; however, nothing is ever 100% secure. By implementing a bounty program or conducting regular penetration tests, your organization will build internal muscle memory focused on improving security. Over time this will pay big security dividends.