What Is A Bug Bounty And Why Are They Important?
Cybersecurity research has a long and interesting history. The dynamics between researchers, mischief makers, hackers, and companies is complex to say the least.
Reputation & Security Posture
Understandably, companies don’t want to look bad. Most spend huge swathes of their budget on marketing and positioning themselves in a positive light.
Having security holes exposed to the public can have a negative impact on a companies reputation and their bottom line.
Countering that, most companies also want to ensure that their technology works as intended and only as intended.
How can an organization balance these needs?
Enter The Bug Bounty
In most jurisdictions, the laws around computers and hacking are overly broad and out of date.
This can—and has—lead to lots of legal trouble for well-intentioned researchers.
These laws have also led to convictions for cybercriminals who have taken advantage of thousands.
The bug bounty system emerged to provide guardrails for the interaction between security researchers and the company hosting the bug bounty program.
The program lays out the types of research that are acceptable and how that research can be conducted. Furthermore, it creates a structure that usually defines compensation for the researcher and how and when—or even if—the issue can be discussed publicly.
For researchers, a public record of accomplishments is a critical aspect of career progression.
While not perfect, bug bounty programs are much better than the unstructured approach of the past.
Keys To Success
The keys to a successful bug bounty is clear communications. The boundaries and process needs to be established before any research is done.
Why? Because looking at just the technological steps taken, there’s isn’t much of a line between security research and hacking. Yet the difference between the two is night and day.
Security research is done with understanding and consent. It’s a process where the goal is security improvements and gained knowledge.
Bug bounties can help protect companies and researchers alike. They establish a working relationship and set the proper expectations on both sides.
They aren’t perfect. But they are a strong move in the right direction.