Bug Bounty Programs — Why Should I Care?
Why should I care about bug bounty programs?
Every digital company has software vulnerabilities, and they get expensive in case of a breach. The cost of rebuilding trust with customers when a breach has already occurred can be immeasurable. The best time to focus on this is when nothing has yet happened.
Traditional methods of finding vulnerabilities are slow and costly. Bug bounty programs have been shown to find vulns quickly, broadly and deeply. This is thanks to unbiased testing from the outside by a skilled community of security researchers and ethical hackers. The cost per bug found is much lower than with pentesting and dynamic scanners. Adding to the good results is the fact that hackers get paid only for bugs found, not for just trying to find.
What do I need to know?
The model for bug bounty programs was perfected by Microsoft, Google and Facebook. They run the biggest programs in the world. HackerOne uses the sharing economy model to make the same benefits and the same vetted hackers available to all. In this model, security experts all over the world can pool their resources to be able to help you make your software more secure.
Is my company ready for this?
To be able to run a successful program, you need top leadership to believe in finding and fixing software vulnerabilities, an Engineering organization that is tasked with prioritizing severe bugs, and a Security person to coordinate with HackerOne. That’s it.
Who else is doing this?
AirBnB, Twitter, Slack, Snapchat, Square, Uber, Riot Games, Salesforce, Shopify, Github, Qualcomm, Intel, Microsoft Research, GM, Lufthansa, the US Department of Defense, and over 800 more.
How much will it cost?
If you are a startup or small company, an initial budget of $10-20 thousand will make a positive security impact on your software. On-going programs cost tens to hundreds of thousands a year, depending on size. The biggest program in the world (Google’s) spends over $3 million on bounties annually. The average bounty is about $500. Finders get paid only for valid results, not for just trying. For that reason, costs grow only with results. If a company is spending more, it is because they are finding more.
Can we take baby steps?
At HackerOne we have made sure that you can start benefiting quickly, yet as cautiously as you like and without a long-term commitment. In the beginning we recommend a limited program. Limit the program scope to just one part of your web property or mobile app. Pick a fixed duration for the first program. Run it as a private program with a select set of hackers invited. You can expand later.
To reduce the burden on your team, HackerOne can manage the entire program for you. You will get a validated list of vulnerabilities for your engineering team to fix. Integration with JIRA allows the information to flow automatically.
How do I get started?
We’ll ask you a few questions to determine your readiness and recommend a stepwise approach based on that. Click here to get going. Or copy the link of this web page and send it to someone who needs to know about hacker-powered security.
Through our service, over 44,000 software vulnerabilities have been found and fixed so far. There are many more that still need to be found before we can state that the internet is secure. Get your program going now. You will sleep much better once you activate this neighborhood watch for your software.
Marten Mickos
HackerOne CEO
P.S. If you are already familiar with bug bounty programs, vulnerability disclosure, and HackerOne, then here is my summary of what’s new in the early part of 2017:
ZeroDaily, our new newsletter, as fun as it is frequent, and as frequent as it is brief. Subscribe now
My most recent blog posting: The Best Security Initiative You Can Take in 2017
Latest HackerOne stats: $16M paid to hackers, 100,000 hackers in the network, over 800 customer programs, 44,000 vulnerabilities found and fixed
New notable programs: Lufthansa, Intel, Microsoft Research, Hack the Air Force, and Nintendo Switch
HackerOne offers free programs to open source projects
HackerOne raised $40M in a C round from Dragoneer Investment and EQT Ventures
HackerOne expanding into EU
HackerOne issued the Bug Bounty Field Manual, the definitive guide on how to plan, launch, and operate a successful bug bounty program
Great press article in the Telegraph, UK: Hackers become new breed of cyber security professional
Keynote at the Collision conference in New Orleans
Great press article about Hack the Air Force
HackerOne launched Disclosure Assistance for hackers
The Economist urges companies of all stripes to embrace bug bounty programs
Seamless integration between Atlassian's JIRA and HackerOne
Uber paid over $860,000 in bounties in the past 12 months
Slack paid over $200k in bounties
See all the Bug Bounty trends in our slideshare
Wonderful video summary of the h1-415 hackathon
Bug bounty reports — how do they work? Phenomenal talk by Adam Bacchus
The 8th Annual Hacker-Powered Security Report