Many businesses face new challenges and problems in the area of IT security. This includes the fact that businesses receive reports of vulnerabilities from security-conscious customers or hackers*1, sometimes via unsuitable communication channels. In this expert interview lead by Shirin Freydank, usd Corporate Communication, Stefan Schmer, Managing Consultant Security Analysis & Pentests at usd AG, presents a security building block that leverages the security awareness and expertise of an entire community: the Bug Bounty Program.
Freydank: “Bug Bounty” means – a bounty for bugs? What exactly is a Bug Bounty Program?
Schmer: Basically, a Bug Bounty Program is another tool to improve a company’s security. It is a form of cooperation between hackers and businesses. The businesses use the know-how of a large number of hackers to have a certain part of their corporate infrastructure or products specifically tested for vulnerabilities. Following successful cooperation, i.e. after a valid vulnerability has been reported, the hacker who reported it first is rewarded. The type of reward is determined by the company. It can range from reputation points to benefits in kind, such as T-shirts or vouchers, to money.
What are the goals of a Bug Bounty Program?
Schmer: The primary goal of a Bug Bounty Program is to identify and fix vulnerabilities before they are exploited. Not a lot of businesses are familiar with the concept of Bug Bounty yet, but it’s constantly gaining in importance. The essential part of such a program is the constructive cooperation between a business and a community of hackers. Bug Bounty platforms offer a suitable basis for this. The platforms make the affiliated community of hackers accessible to the company, which is crucial for implementing a Bug Bounty Program. The platforms provide the company with a central forum for informing hackers about the program, communicating with them, and handling payment transactions. This enables the company to control the flow of information the hackers receive and to highlight important areas of the company where the need for security tests is most urgent.
How does the cooperation between businesses and hackers come about and how can you assess if a hacker is at all qualified?
Schmer: Companies are able to specifically invite hackers to participate in their Bug Bounty Program. This is one of the strengths of Bug Bounty platforms, as they usually have a ranking system that allows you to measure the hackers’ skill. For every valid vulnerability that a hacker reports, they receive what we call reputation points. These improve their score in the global ranking system. The more vulnerabilities the hacker collects, the higher they rise in the ranking. Hackers with many reputation points are of course very popular with companies, as these points to a certain extent represent their expertise. Businesses can also opt to run a Bug Bounty Program on their own. Instead of using established platforms hosted by providers, those businesses contact the community themselves, establish suitable communication channels and manage everything else that would otherwise be done for them by the platform.
Who can participate in the program?
Schmer: Each company sets the rules for its own program *2. These rules specify which company areas are approved for testing by the hacker community and whether there are any exceptions or restrictions hackers must observe. These rules are the foundation of the cooperation between hackers and businesses, so hackers take a close look at them before deciding to take part in a company’s Bug Bounty Program. Sometimes these rules include restrictions on who may participate. Each business defines its terms and conditions differently. Sometimes they specify a minimum age for participating hackers. American companies, for example, may also ban hackers of certain nationalities from the program because the US has sanctions in place against those countries.
How does a Bug Bounty Program differ from “traditional” security measures such as security analyses?
Schmer: In general, even with a Bug Bounty Program, the hackers perform a pentest/security analysis on the business’s selected systems. The clear advantage for the business is that it can access the knowledge of an entire community of hackers. True to the motto: Two heads are better than one. In addition, all systems approved as targets by the rules of the program are always in the hackers’ sights, which at best can lead to them being tested a large number of times by a large number of experts. Furthermore, hackers do not receive any special system privileges or background information that would be helpful for a security analysis. The conditions therefore closely resemble a real attack scenario where someone tries to penetrate the system from outside without any insider knowledge. These circumstances however also bring about a number of problems or challenges.
What are those challenges when introducing and running a Bug Bounty Program?
Schmer: First of all, the company does not know how many hackers “work” on the systems and what their intentions are. In a typical security analysis, the company commissions a penetration tester for a certain period of time. The company knows full well that the pentester will try to find security holes throughout the pentest and report them to the company later. This is difficult to implement with a Bug Bounty Program. The company must also provide incentives to get (good) hackers interested in its own Bug Bounty Program. A hacker will take a very close look at which program they invest their time in and for what value. This means that if a company sets the wrong incentives, relatively few hackers will test the systems. Communication is another important aspect that must be considered.
What should companies know about communicating with hackers?
Schmer: Hackers are often regarded as a subculture that is not easy to deal with. I don’t necessarily agree with that. Our experience has shown, however, that hackers have very high demands on a company running a Bug Bounty Program. They expect fast professional reactions and fast fixes for vulnerabilities. The mostly asynchronous communication often hampers the communication flow and any difficulties that arise therefore require additional time resources. With classic security measures, this problem would usually be solved by a personal conversation or a telephone call. There are also differences in costs. In classic security analyses, pentesters are usually paid on a time basis. With a Bug Bounty Program, hackers are rewarded on the basis of vulnerabilities found. The number of vulnerabilities which directly translate into payable financial rewards is difficult to calculate in advance.
How does a Bug Bounty Program compare to a general IT security strategy?
Schmer: In my opinion, a Bug Bounty Program can never replace a general IT security strategy and its measures, such as penetration tests. Such a program can be a great complementary security measure, however. A combination of traditional security analyses and a Bug Bounty Program can significantly improve the security of a company’s infrastructure in the long run. And with a good concept for the implementation and further development of a Bug Bounty Program, financial risks can be minimized.
What are the advantages of running a Bug Bounty Program?
Schmer: A Bug Bounty Program draws on the resources of a large number of hackers. This results in an enormous technical expertise that can be channeled productively. With the right concept, the security Level of any IT infrastructure can be greatly improved through this. A Bug Bounty Proram also allows for a continuous analysis of the target systems. The basic idea is that hackers attempt again and again to find new vulnerabilities in the systems. The company only gives out a reward to the discoverer of a vulnerability if the vulnerability has been validated. In addition, companies usually specify in their program rules that a hacker only receives a reward if the vulnerability has not been previously reported by anyone else. There is another side effect that I, as a pentester, see great value in: Companies fix vulnerabilities that have been reported by a hacker much faster.
How do our security experts help implementing a Bug Bounty Program?
Schmer: A Bug Bounty Program requires a lot of effort on the part of the company. We have already gone through all phases of a Bug Bounty Program and successfully supported companies in running them. This has enabled us to build up comprehensive knowledge of all potential issues, beginning with understanding the client’s requirements and deriving the right conditions for the Bug Bounty Program. We can help with everything from the initial conception and the definition of rules to the regular operation, including pre-filtering and evaluating incoming vulnerability reports. Beyond that, we also stand by our clients to help them optimize their processes and other areas. To explicitly highlight one area: Communication with hackers can be very time-consuming. We know the problems and challenges that can arise from Bug Bounty Programs. This is an enormous knowledge advantage that we are happy to share with our clients!
*1 The term “hacker” used in our interview refers to security researchers and white-hat hackers..
*2 Rules= Neutral term, different Terms are used depending on the Provider, such as Security Policy or Program Details.