Bug bounty programs - where individuals can receive recognition and compensation for reporting security vulnerabilities - are useful for organizations, especially when developing an application security program. But bug bounties should not be the first course of action in tackling vulnerabilities: without certain fundamental components in place, a bug bounty can be costly, ineffective, or both.
So, when should a company launch a bug bounty program?
Ideally, bug bounty programs should be launched only after four fundamental components are in place: secure development training, vulnerability baseline, automated scanning for vulnerabilities, and timely processes to triage and remediate vulnerabilities.
Implement Secure Coding Training
First, developers need Secure Coding Training. Training developers on identifying and fixing common vulnerabilities ensures that code gets written in a way that minimizes vulnerabilities. Effective training can help remove whole classes of common, preventable vulnerabilities - like SQL injection and cross-site scripting - from code. Without secure development training, developers are more likely to write code with repeat vulnerabilities - essentially turning the software into “easy money” for bug bounty security researchers who can find, report, and profit from the same vulnerabilities over and over.
Establish a Baseline of Vulnerabilities
Second, not only should developers know how to write safer code, but there should be an effort to both find and remove basic vulnerabilities before starting a bug bounty program. Rather than paying for others to find low-hanging vulnerabilities, these vulnerabilities can be found and remediated through relatively inexpensive manual web application security tests.
Use Automated Scanning for Vulnerabilities
Third, companies should run a static code analyzer on their software to find additional vulnerabilities. Ideally, this is a mix of both static and dynamic code analysis done prior to deploying any software into production. It is also useful to put technical controls in place within the Continuous Integration/Continuous Deployment process to enforce this type of analysis before pushing code into production. A further step is to return software back to the developer when defects are found.
Employ a Timely Process to Triage and Remediate Vulnerabilities
Fourth, developers need to take responsibility for security vulnerabilities in their code and should be as invested in secure code as the security team or outside security researchers. This means that security vulnerabilities need to be prioritized and fixed based on the associated risk of each issue. For example, an organization’s policy may dictate that a critical vulnerability should be addressed within hours, while a low-risk vulnerability can be addressed within a month (though there should be a policy that aims for all vulnerabilities to be fixed). This ownership and responsibility by the development team need to occur to have a successful bug bounty. Security researchers who spend time and energy helping a company identify vulnerabilities in their code can feel slighted if the vulnerability is not fixed in a timely manner. In addition, if one security researcher finds a vulnerability and it takes months to fix, it can be frustrating for the subsequent researchers who report it and will not get paid because they did not find it first (this is usually part of bug bounty rules). Security researchers will be less likely to want to work to find additional vulnerabilities.
These four components - implementing secure development training, establishing a vulnerability baseline, using automated scanning for vulnerabilities, and employing a timely process to triage and remediate vulnerabilities - should be in place before starting a bug bounty program.
With these components in place, software developers can know how to minimize writing vulnerabilities in code, the low-hanging vulnerabilities get remediated internally, external higher-level talent is attracted to find challenging security vulnerabilities, and vulnerabilities are fixed in a timely manner based on risk. All of these aspects can help a company eventually run a successful bug bounty program.