7 bug bounty myths, busted
Interest in bug bounty programs is exploding, as companies look to crowdsourcing to combat hackers. But several misconceptions remain.
With cybersecurity attacks on the rise, businesses are becoming increasingly aware that a single security flaw can compromise their entire organization at the hands of a hacker, but most lack the resources to defend against every potential flaw. Enter bug bounty programs, which invite people to break into your system and tell you about its flaws for a reward.
Bug bounties use the power of a crowd to augment a security team's resources, and find more critical vulnerabilities that might be missed through traditional assessments, according to a recent report from BugCrowd. However, many misconceptions about how these programs work prevent more companies from taking advantage of them, the report said.
Here are seven myths about bug bounty programs, and why they are false, according to BugCrowd.
SEE: Intrusion detection policy (Tech Pro Research)
1. All bug bounties are "public"
False: While in the past, bug bounty programs were open-to-anyone competitions, the majority of bug bounty programs today are private and invite-only, according to the report. Major organizations including Google, Facebook, Microsoft, and HP have run bug bounty programs.
2. Only tech companies run bug bounties
False: While major tech companies popularized the model, it has evolved to be effective and flexible for organizations or virtually every size, according to BugCrowd. More traditional organizations, such as financial services companies and government entities, have engaged in private programs in recent years. For example, the EU began funding bug bounty programs for 14 open source projects in January.
3. Running a bounty program is too risky
False: While the bug bounty model is becoming more popular, many companies remain concerned that they are inviting hackers in to exploit them, the report noted. However, the risk of being vulnerable outweighs the risk associated with running a bug bounty program, it added. "Granting permission for security research is a great way to receive more vulnerability findings, giving your organization more knowledge of unknown vulnerabilities, and ultimately reducing risk," according to the report.
SEE: Security awareness and training policy (Tech Pro Research)
4. You can't trust hackers
False: If given the right guidelines and incentives, white hat hackers are security researchers who can help your organization instead of hurt it, the report said.
5. Bug bounties don't yield high-quality results
False: Bug bounties help organizations uncover 7x more critical vulnerabilities than traditional security assessment methods, according to BugCrowd. Most organizations that run these programs already have strong security testing programs in place, but still find results, often with 24 hours, the report said.
6. Bug bounties are too costly and hard to budget for
False: Your organizations controls your bug bounty budget. While you want to attract the right talent to your program, you don't have to write a blank check, the report said.
7. Bug bounties are hard to run and manage
False: Organizations overwhelmed with the prospect of running a program on their own do have the option to partner with a vendor to do so, the report noted.
To learn more about how to develop a bug bounty program, check out this TechRepublic article.
Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays
Also see
Image: iStockphoto/PashaIgnatov
Gloss