The risks of bug bounties

Bug bounty programs have been around since at least 1995, when it is believed Netscape launched the first one. The latest is the refresh of Twitter’s, which promises at least US$140 to those who find vulnerabilities in the social network’s online, iOS and Android apps.

Canada’s OpenText, Google, Microsoft, Facebook, YouTube, and Yahoo are among the major companies to offer bounties with cash or recognition. The idea of rewarding people for funding bugs in their applications is considered so worthwhile by vendors that San Francisco-based acts as a central clearing house for 36 small firms and startups, such as Pinterest.

It counts well over 100 other bug bounty programs.

But are they worth it? Swiss-based penetration testing firm High-Tech Bridge has been skeptical. In a blog posted today, a staffer interviewed CEO  Ilia Kolochenko, who said bounties can be an effective tool, if implemented and operated correctly.

The problem is that a bounty can give a green light to attacking a system. “Checking for XSS (cross-site scripting) is harmless and even without a bounty program I would say perfectly legal if used to notify the vendor,” Kolochenko is quoted as saying. “But in checking for something more dangerous, like SQLi (SQL injection) flaws, if the researcher is not skilled enough he could unintentionally delete something or make something unusable by incompetent testing. I am not even speaking about automated tools and scanners that can seriously harm live systems if used blindly. The problem is that quite often crowds of young hackers use a dozen of vulnerability scanners simultaneously to fuzz the victim betting on the quantity rather than quality of security checks.

He adds that “competent researchers are not usually the people who regularly submit bugs to collect the bounties, simply because that is not their motivation. They may do it from time to time for glory or mainly for fun/challenge, but that’s definitely not their core business/hobby.”

The smaller the reward, he also argues, the greater the likelihood that inexperienced hackers will ovewhelm a bounty team.

Here’s an idea he suggests: A job offer for the top researcher of the year. That would not only attract talented people, but also boost the company’s security.

If your company has a bug bounty — or has considered and found it wanting — let us know in the comments section below.



Please enter your comment!
Please enter your name here