Published: 12 Sep 2016
Bug Bounty – Is It The Right Solution To Catching Security Threats?
Last Updated: 23 Sep 2020
Bug bounty programs are increasingly becoming very popular and are forming part of many organizations’ strategy to discover security issues within their applications. Organizations of all sizes and verticals have Initiated bug bounty programs, including likes of Google, Facebook, Uber, AirBnB, Starbucks and countless others.
Going by the ‘star boards’ and ‘thank you’ messages on bug bounty pages, we can gather that these have been successful and the organizations have managed to find a good number of vulnerabilities, that too, in a very inexpensive manner. It would make everyone believe that a bug bounty program is a way to go for finding security vulnerabilities in their applications. But is there more to it?
Certainly! While a bug bounty program will help you catch those nasty vulnerabilities at a relatively low cost, it should not be your primary security testing strategy. By exposing a vulnerable application to the users, whether internal or external, you are susceptible to data thefts and application hacks.
Not all hackers will be ‘ethical’ hackers and they may exploit the vulnerabilities they identify for malicious gains rather than reporting those to you. This could lead to serious consequences including business loss, reputation loss and legal proceedings. This could be particularly severe for smaller-mid size organization who do not have enough backup, infrastructure and tools, leaving them in a completely irrecoverable state impacting their business operations.
So, there is no substitute for a formal and periodic security testing cycle when it comes to ensuring the security of your applications. Security testing, when done by the right professionals with right tools and techniques, can ensure most security vulnerabilities are caught upfront providing organizations an opportunity to fix those before the application is rolled out to end-users. The security testing should be carried out before the initial launch of the application and repeated, at a minimum, before all major releases.
However, with continuously evolving technology, hacking techniques and continuous changes to the applications, there could still be potential security flaws even after doing periodic security tests. The bug bounty program could be adopted as a good secondary security strategy to uncover vulnerabilities where the RoI for doing formal security testing falls below acceptable levels. Such vulnerabilities should be considered as an acceptable business risk and should be addressed using bug bounty programs.
— TestingXperts (@TestingXperts) September 12, 2016
TestingXperts has helped its clients design comprehensive security programs including carrying out structured security testing of the applications. We ensure conformance to latest industry standards like OWASP, OSSTMM, and other domain specific regulations like PCI-DSS, HIPAA etc. with our team of Certified Ethical Hackers. Talk to us today for all your security testing needs.