Trying to get ahead of the bugs and vulnerabilities that cause security breaches and hacks has become an increasingly high priority in recent years across a variety of industries. With a growing cybersecurity skills gap and short-staffed security teams, many organizations are turning to bug bounty programs to expand their breach prevention capabilities beyond their internal teams.
How Do Bug Bounty Programs Work?
These programs represent reward-driven crowdsourced security testing where ethical hackers that are able to successfully discover (and report) vulnerabilities to companies are rewarded by the organization that was hacked.
Further classification of bug bounty programs can be split into private and public programs. Public programs allow entire communities of ethical hackers to participate in the program. Usually, these wide-ranging programs can be either time-limited and open-ended. On the other hand, private programs are generally limited to a smaller, hand-selected sub-group of hackers that are scoped to specific targets. These private programs often take place through commercial bounty platforms, where hackers are selected based on their reputation, experience and skills.
One company that exemplifies the growing bug bounty trend is Microsoft. It has consistently been involved in these types of efforts over the years, and the latest example is its new Xbox Bounty Program. It followed RockstarGames’ decision to make its bug bounty program public, inviting hackers to test its platform for a wider range of vulnerabilities. So what does a successful program look like?
The Xbox Bounty Program
The Xbox Bounty Program, for instance, invites gamers, security researchers and others from around the world to help identify vulnerabilities in the Xbox Live network and services, and share them with the Xbox team. Qualified submissions are eligible for bounty rewards of $500 to $20,000. If you find a major bug in an Xbox Live service and report it to them, you could get paid for it.
The following are examples of vulnerabilities that may lead to one or more of the security impacts Xbox is looking to address:
- Cross site scripting (XSS).
- Cross site request forgery (CSRF).
- Insecure direct object references.
- Insecure deserialization.
- Injection vulnerabilities.
- Server-side code execution.
- Significant security misconfiguration (when not caused by user).
- Demonstrable exploits in third party components.
Bug Bounty Benefits
Traditional penetration testing services sometimes generate a culture of fear due to meeting compliance requirements, but bug bounties are different. Bug bounties are about creating a culture of openness, transparency and responsibility.
People are consistently looking to hack every game console on the market and many applications/websites as well, whether it’s for good or for bad. For organizations like Microsoft, it’s important to bring the dark side over to the light by making hackers ethical with their participation in the bounty programs.
Ethical hackers help businesses detect vulnerabilities before the bad guys beat them to it. In other words, running a bug bounty program is getting ahead of the game by being proactive and predictive. A bug bounty is an alternative way to detect software and configuration errors that can slip past developers and security teams, and later lead to big problems.
Bug bounty programs and responsible disclosure programs are extremely beneficial for Microsoft, and organizations in general, because they give curious people a legal and positive way to express their curiosity.
In a previous life, I was a white hat hacker like this. I never reported anything I found, but if there had been a system in place like a bug bounty, I would’ve taken full advantage. Having these programs in general is great for organizations to find bugs, but it’s also important for them to ensure they are reported.
Bug Bounty Challenges
While bug bounties have numerous benefits as outlined above, it’s also important not to over rely on bug bounty programs. Since these programs are incremental, they don’t eliminate the necessity of securing software development system scans or testing.
Before diving into the program, it’s also important to define the scope of the bounty program. You must have unquestionable clarity about the authorized conduct framework, and you must decide what proof you’ll require to confirm a hack and how and when people should share that information.
Bounty program legal rules can sometimes be written poorly as well, allowing hackers to stray outside of the boundaries–despite the potential legal risk. A lot of bug bounty reporters are just shoving their world’s view onto the organization holding the bounty programs. It’s nowhere near the majority, but you see it a lot with younger people.
It will take advanced planning and agreement with security teams, operations and developers to ensure the procedures are in place to tackle such incidents when they arise. But all in all, the benefits of bug bounty programs significantly outweigh the challenges they pose. Every day around the world there are new breaches grabbing news headlines. Bug bounties are one of the ways to help keep organizations out of those headlines, and continue on the path to a safer digital life.