Over the last couple of years there has been a lot of press regarding bug bounties, and I thought I would write my two cents on the matter. As a bit of background on who I am, I have five years of professional software development experience, five years of penetration testing experience and now a year of full-time bug bounty experience.
Criticism of Bug Bounties
I think most criticism of bug bounties is well-founded and is a reaction to the overly positive messaging coming from bug bounty companies. They are simply contesting the narrative being propagated by bug-bounty companies, that bug bounties should be a replacement to all other investment in security. Here’s a point, for example, that I agree on:
Quote from Katie Moussouris,
Bug bounty programs, she said, have been over-marketed as a solution to finding bugs. “They’re not a cost effective replacement for penetration testing,” she said.
I don’t personally run a bug bounty myself, but it seems hard to argue against it. If you are going to be paying top value for bug bounties, a single remote code execution vulnerability can set you back at least ten thousand dollars. If you set a low maximum bounty, most hackers won’t even look at your program. This is because they need to spend too much time understanding your external attack surface for the return in terms of money.
On the other hand, for that same amount of money, you can get a team of experts to look at various aspects of your technology stack, as well as provide proactive advice.
Real Benefits of Bug Bounty Programs
Having said that, however, I think there are real benefits to bug bounty programs, especially to large corporations such as Google, Facebook and the others. These benefits can mainly be summarised as these two points, below.
Firstly, penetration testing can be too laser-focused on individual assets when not managed properly. I have seen this in my experience when a client regularly spends upwards of $50,000 a year on pentesting alone, but fails to assess a number of critical elements of their internet prescence. This can happen due to a lack of inventory on part of the organisation or a lack of political will within the company to look at, for example, third party products sitting on their DMZ. Although this mistake can also happen in bug bounty programs, in my opinion bug bounty programs take a more hollistic approach.
Secondly, not all security professionals are experts on all subject matters. Having a wider range of people looking at your site can have the benefit of individual experts finding the security holes that are specific to their area of expertise. For example, certain hackers are SAML experts, others may specialize in finding certain kinds of IDOR vulnerabilities.
These benefits only materialise on properly handled bug bounty programs. If you add a program with a terribly constrained scope offering $50 rewards, your security is not magically going to improve.
Real Negatives of Bug Bounty Progams
Running a bug bounty program comes with its own overheads, and time spent managing a bug bounty program is time not spent doing something else. In particular, there is a lot of overhead in managing bad reports, dealing with inmature researchers, etc. If you have a managed program then this can be lessened, but of course the cost increases.
Certain aspects of your company’s security are not covered by bug bounties. At a minimum, bug bounty programs completely fail to address a critical component of I.T. security: the human aspect. If your external network is hardened, but your staff are not trained to respond to phishing emails, then your money was probably not well spent, because attackers are likely to try phishing first due to its low-cost and high success rate.
Additionally, bug bounties are not a good place to obtain advice previous to a software lauch, are not a good way to train your developers to follow security best practices, and are not a good way to obtain advice regarding currently-deployed solutions, and how to best secure them. These problems require a solution outside of bug bounties.
Are Bug Bounties a Good Investment of Your Time as a Hacker?
There is also a lot of criticism regarding bug bounties from the perspective that they are unfair to security researchers. Critics say that a minority of bug bounty hunters will actually reap any rewards for their time investment. When you compare the amount of money obtained by most people, and you compare it against the average salary of a penetration tester, it shows that only a minority of hackers will break through that threshold.
This, in my opinion is fair criticism, and again possibly a response to the marketing of Bug Bounty companies. These companies’ marketing is overly positive, which is understandable because they need to entice hackers to spend time on their platforms. The fact that a 19 year old from Argentina made $1.000.000 on bug bounties does not guarantee that you will, though.
My opinion on the matter is that you should consider your own circumstances and your own skills when considering whether doing bug bounties is going to be worth your time. It may very well be that you will waste your time, but not all rewards have to be monetary: it may be that it simply helps you become a better pentester.
With regards to finding vulnerabilities, it will come down to target selection and your affinity to finding vulnerabilities over time, as well as your persistence. Big corporations that have had a bug bounty for a while have had their external attack surface hardened, so the vulnerabilities you find will be the ones that only somebody with your expertise can find. You may also get lucky and find new attack surface that has only just became vulnerable.
I think if you are a hacker that regularly finds RCE/SQLI/SSRF/XXE in client applications, chances are that over time you will find these and get a bounty
Negative Aspects of Bug Bounties as a Hacker
There are some negative aspects to bug bounties in my opinion, and they are the lack of regularity in payments and also the lack of recourse when dealing with an unfair resolution. The lack of regularity in payments is self-evident: if you are a pentester you will get paid if you show up to work, whereas if you do bug bounties it doesn’t really matter whether you show up to work. This can work for some people, and it may be overly stressful for other people.
With regards to the lack of recourse, I think this is related to the amount of spam that bug bounty programs get. They make the final choice, and that is that. Sometimes this means you report a valid bug that you can exploit to do something great, but you won’t get paid.
This article is meant to be a summary of my opinion on the topic, which I think can be interesting to some people. As I noted above, corporations can reap benefits from a properly-managed, properly-funded bug bounty program.
Hackers can also reap benefits from bug bounty programs, but these benefits come at the expense of other things, such as stable wages and a guarantee of income.