Bug bounty programs are a great step forward for the security industry, but the impact could be reduced if vendors focused on secure coding.
Speaking at 44CON in London, Katie Moussouris, chief policy officer at HackerOne said that the tide turned in 2010 with bug bounties when professional penetration testers began making money for their skills.
Asked if the more bug bounty programs there are, the lower price would be offered overall? Moussouris said it may not be the most cost effective way to find as many vulnerabilities as possible, but organisations should be making their bugs rarer and rarer with better code development. “Vendors are not doing that as skipping code tests, and that would make instances of bugs rarer and rarer, it should be better and rarer and money is steady,” she said.
“To make money, invest in security part first. Researchers have a choice on what they look at, it is not always about money and sometimes it is about exposure and recognition.”
Looking back at her own work at Microsoft, Moussouris said that it was developed as an incentive programme to turn bugs in earlier in the software development lifecycle. “The purpose of the programme is to incentivise researchers to look where we want them to look,” she said. “In determining the bug bounty programme, we looked at the pattern of bugs that we were getting anyway, which often came in after the code was locked and during manufacturing, which was the worst time.
“It is about managing expectations in a bi-directional relationship. Researchers are making an investment in time and skills, why would a tester waste time and effort on a vendor who doesn’t want it, or expect to be paid for it? Look at vendors who have proper programs and a desire to receive vulnerability reports.”
She said that organisations realise that they are open to vulnerabilities and bug bounty research may save a lot of headaches. Asked what a vendor would do if they were unsure if it was right for them, Moussouris said: “It is much better when both parties are willing and consenting. Trying to unlock the vendor desire to receive vulnerability reports can be a “subtle seduction”.
“If you are on the fence and thinking about doing this, what better time is there to align with the business needs than the time that they had aligned to fixing bugs?”