• About
  • Subscribe
  • Contact
Thursday, June 5, 2025
    Login
FutureCISO
  • People
  • Process
  • Technology
  • Resources
    • White Papers
    • PodChats
No Result
View All Result
  • People
  • Process
  • Technology
  • Resources
    • White Papers
    • PodChats
No Result
View All Result
FutureCISO
No Result
View All Result
Home Resources Blogs

Getting the most from bug bounty programs

allantan by allantan
October 25, 2023

Photo by Mikhail Nilov from Pexels: https://www.pexels.com/photo/a-man-looking-at-a-computer-screen-with-data-6963944/

Share on FacebookShare on Twitter

The Consortium for Information and Software Quality (or CISQ) estimates that poor software quality costs US companies upwards of $2.08 trillion annually. These losses include costs from operational failures, unsuccessful projects, and software errors in legacy systems.

A software bug is an error, flaw or fault in the design, development or operation of software that causes it to behave in unintended ways. CISQ estimates that the process for identifying and correcting bugs, called debugging, accounts for a significant percentage of a software project’s cost – more than the creation of the software in the first place.

Finding software bugs is a full-time job and can detract the IT team from focusing on focusing on more strategic priorities – although to be clear, repairing errors in software is just as important, especially those about security exploits and vulnerabilities.

Debugging engineers typically are proficient in one or more programming languages and are familiar with common frameworks, libraries, and platforms, such as Selenium, JUnit, TestNG, or Cucumber.

The scarcity of such talent coupled with the accelerated pace at which new applications are being designed, tested and moved to production, has created an economic opportunity for bug bounty.

Dave Gerry, CEO at Bugcrowd, defines a bug bounty program as a cybersecurity initiative that organisations implement to incentivize security researchers and ethical hackers to find and report vulnerabilities or security flaws in their software, websites, or digital systems.

“These programs are designed to help identify and fix security issues before malicious hackers can exploit them for malicious purposes,” he continued.

Importance of bug bounty

A bug bounty typically involves research and testing, reporting, verification, fixing and patching and acknowledgement.

Gerry claims bug bounty programs have become a popular approach for organisations to bolster their cybersecurity efforts. “They benefit from the expertise of the global security community, which can often identify vulnerabilities that internal teams might have missed. For ethical hackers and security researchers, bug bounties provide an opportunity to earn money while contributing to the security of digital systems,” he elaborated.

Related:  Increased resources and effort, tech leaders’ biggest concern to zero trust
Source: All The Research, April 2021

These programs have been adopted by tech companies, government agencies, financial institutions, and a wide range of organisations with an online presence to improve their security posture.

Bug bounty oversight

Just as with any program, delivered internally or through an outsourced expert, some supervision or guidelines need to be set in place. Otherwise, the organisation risks the program running in tangent or not delivering on the original reasons for which it was created.

Asked who should oversee such operations, Gerry noted that typically, the security organisation is responsible for deploying a bug bounty program and coordinating the necessary budgets.

“From there, it becomes an organisation-wide initiative as most functions will contribute to the remediation efforts, promotion, and overall success of the program,” he added.

He also pointed out that anything that an organisation produces, including applications, hardware, infrastructure, networks, APIs, LLM, etc, is a good candidate to be a part of a bug bounty program.

“While security does typically own the management and budgeting of a bug bounty program, the entire organisation plays a critical role in its long-term success,” he continued.

In-source or outsource

According to Gerry organisations of all sizes and maturity levels can benefit from a bug bounty program. "While some large (F100) companies may have in-house staff to deal with the management of the program, they often come to providers for assistance in the triaging of vulnerabilities or the payment processing of bounty payments to the hacker community," he added.

The 2023 Bug Bounty Platforms Report estimates the bug bounty platforms market at US$973.1 million in 2021 steadily rising at a CAGR of 15.94% during the forecast period reaching US$2.36 billion by 2027.

Guidelines for bug bounty programs

Asked what guidelines and rules should be part of any bug bounty program or strategy, Gerry points out that before the launch of any bug bounty program, it is important to document the scope of the engagement, areas of the organisation’s asset(s) that may be out of scope, the pay scale for vulnerabilities by criticality, and the process in which the organisation will evaluation the vulnerabilities that are identified.

Related:  Exploitation of Large Language Models (LLM)

“This is typically provided to the hacker community via a Program Brief on the organisation’s website or by the bug bounty provider,” he added.

The growing influence of AI

In the Inside the Mind of the Hacker Report, Bugcrowd founder CTO, Casey Ellis, believes that cybersecurity is about to become less predictable – commenting on the topic of AI and the impact of generative AI on security.

Acknowledging that artificial intelligence (AI) is a ‘hot button’ in security, Gerry points out that AI has the potential to make security teams wildly more productive, and, at the same time, has the potential to make bad actors more productive in their criminal activities.

The report cited that 91% of hackers believe that AI will help amplify the work that they do, with 78% believing it will disrupt the way they conduct penetration testing or work on bug bounty programs.

Generative AI technology types used by Hackers

Source: Inside the mind of a hacker, Bugcrowd 2023

However, 72% believe that AI cannot replace the human creativity that they bring to hacking. Interestingly, 94% of hackers plan to start using AI in the future to help them ethically hack while 91% believe that AI technologies are upping the value of ethical hacking.

Bug Bounty in 2024 and beyond

Dave Gerry

“We expect to see continued growth around new programs launching - both in organisations using bug bounties today and for those not yet using bug bounty. As these programs continue to launch, more and more individuals will become hackers on the various platforms as they see the income opportunity in bug bounties.”

Dave Gerry

“Security has never been more critical to an organisation’s long-term success than it is today - the legacy tools, scanners, and methods have failed and organisations must look to the hacker community for help as we all aim to disrupt the adversaries we face daily,” concluded Gerry.

Tags: APIsbug bounty programBugcrowdethical hackinglarge language model (LLM)
allantan

allantan

Allan is Group Editor-in-Chief for CXOCIETY writing for FutureIoT, FutureCIO and FutureCFO. He supports content marketing engagements for CXOCIETY clients, as well as moderates senior-level discussions and speaks at events. Previous Roles He served as Group Editor-in-Chief for Questex Asia concurrent to the Regional Content and Strategy Director role. He was the Director of Technology Practice at Hill+Knowlton in Hong Kong and Director of Client Services at EBA Communications. He also served as Marketing Director for Asia at Hitachi Data Systems and served as Country Sales Manager for HDS’ Philippines. Other sales roles include Encore Computer and First International Computer. He was a Senior Industry Analyst at Dataquest (Gartner Group) covering IT Professional Services for Asia-Pacific. He moved to Hong Kong as a Network Specialist and later MIS Manager at Imagineering/Tech Pacific. He holds a Bachelor of Science in Electronics and Communications Engineering degree and is a certified PICK programmer.

No Result
View All Result

Recent Posts

  • Platform to enhance software development security
  • Check Point launches enhanced branch office security gateways
  • BarracudaOne to offer a unified approach to cybersecurity
  • AI agents present new security challenges in Southeast Asia
  • Red Hat launches Enterprise Linux 10 for hybrid security

Categories

  • Blogs
  • Compliance and Governance
  • Culture and Behaviour
  • Cybersecurity careers
  • Data Protection
  • Endpoint Security
  • Incident Response
  • Network Security
  • People
  • Process
  • Resources
  • Risk Management
  • Technology
  • Training and awarenes
  • Videos
  • Webinars and PodChats
  • White Papers

Strategic Insights for Chief Information Officers

FutureCISO serves the interests of the Chief Information Security Officer (CISO) and the information security profession. Its purpose is to provide relevant and timely industry insights around all things important to security professionals and organisations that recognize and value the importance of protecting the organisation’s data and its customers’ privacy.

Cxociety Media Brands

  • FutureIoT
  • FutureCFO
  • FutureCIO

Categories

  • Privacy Policy
  • Terms of Use
  • Cookie Policy

Copyright © 2024 Cxociety Pte Ltd | Designed by Pixl

Login to your account below

or

Not a member yet? Register here

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • People
  • Process
  • Technology
  • Resources
    • White Papers
    • PodChats
Login

Copyright © 2024 Cxociety Pte Ltd | Designed by Pixl