alex_aldo - Fotolia

Are bug bounty programs secure enough for enterprise use?

The use of bug bounty programs in enterprises is growing, but they aren't risk free. Expert Mike O. Villegas discusses some concerns related to bug bounties.

More enterprises appear to be adopting bug bounty programs to help them find vulnerabilities. But are there hidden risks involved? For example, an adult video site recently had its subscriber database exposed to white hat hackers who exploited a bug bounty. While the hackers didn't make the data public, the customer data was still accessed by untrusted third parties. What factors should enterprises weigh when considering bug bounty programs?

Bug bounty programs are offered by many websites -- such as Facebook, Yahoo, Google, Reddit, Square and Microsoft. With these programs, software developers can receive recognition and compensation for reporting bugs in those vendor software offerings. Some of these are cybersecurity related, identifying exploits, vulnerabilities and possibly zero-day vulnerabilities.

Rewards in bug bounty programs vary by vendor, but they generally run from a T-shirt, to $250, to as high as six figures, depending on the severity of the vulnerability. On Dec. 8, 2016, a security vulnerability in Yahoo Mail was found by a bug hunter from Finland that allowed an attacker to read a victim's email or create a virus infecting Yahoo Mail accounts. The attack required the victim to view an email sent by the attacker. No further interaction (such as clicking on a link or opening an attachment) was required. The bug hunter received a $10,000 reward, an amount presumably relative to the possible impact to all Yahoo email users.

However, posting a vulnerability on a blog or public forum provides hackers with sufficient knowledge to exploit that bug before the vendor has an opportunity to remediate it. It would be presumptuous to believe hackers would not take advantage of such knowledge. Even after the software vendor has published a fix, detailed documentation of a vulnerability would provide hackers with details that could be used against those that have not yet applied the patches.

Bug bounty programs appear to be a good idea, and they provide information for vendors to consider when strengthening controls over cybersecurity coding deficiencies. However, the details do not have to be submitted to the general public. Having a subscription-based notification of the details might be an answer, but there will be many who will oppose this idea.

There is some debate over whether or not to keep vendor software vulnerabilities secret. The focus of the annual DEFCON conference is to expose vulnerabilities. There is no law to prevent such disclosures, so whether the vulnerability is posted on a vendor's bug bounty program page, on an underground blog or on a social media site, exploits are bound to happen. This is a factor that vendors need to weigh when considering a bug bounty program.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn whether bug bounty programs get better results than crowdsourcing

Read more about the vulnerability disclosure debate surrounding software

Discover the right approach to security vulnerability disclosure policies

Dig Deeper on Risk management