A Programmer’s Guide to Crowdsourcing Security with Bug Bounties
Developing secure software is a key element to modern software development. Around 75% of programmers worry about security in their applications and 85% rank security as very important in the coding and development process. This has bred a huge emphasis on “secure by design,” which is the concept of creating software with security already built into the product.
However, when developing a product in isolation, it’s hard to be sure that your software is as secure as you believe it to be. The only way to know for sure is to put your software to the test and see how well it stands up to testing. Nonetheless, it’s unrealistic to expect a full-time programmer to have the time or expertise to attempt to hack their own software.
Many people would then look to hiring professional help. While this is a popular option for most, it can be very expensive and time-consuming to find the right people for the job, and even then you’re not guaranteed to find anything for your trouble. A modern-day solution to this is to use bug bounty programs.
A bug bounty program is an organized service where companies can have their websites or applications tested by freelance hackers for vulnerabilities. In return for finding bugs in your product, they are given monetary compensation or points on the platform that increase their ranking.
Some big companies that use bug bounty programs include Facebook, Google, HP, Nintendo, and PayPal.
Bug bounties are a great way to have the security of your software tested by multiple security professionals. Also, you only pay when something is found that is of interest to you, and you can easily scale the amount that you pay to reflect your budget.
In this article, I will outline how these programs work, why they are a benefit to you, and how you can start getting your software reviewed.
Advantages of a Bug Bounty Program
Bug bounty programs are a cost-effective way to get feedback on the security of your software. Here are some advantages to choosing a bug bounty program for your security needs.
You Get Many Opinions
A big benefit of a bug bounty program is you get many different people looking at your product. Each person has a different approach and a different skill set. The more people you have trying to break your software, the more you will find. The more you find, the stronger your software will be once you fix those weak points.
You Only Pay for What You Get
Unlike upfront penetration tests where you have to settle on a price beforehand, bug bounties only require you to pay once a new vulnerability is found—duplicate submissions don’t get payouts. This means you have a much better ROI and as submissions come in, if you are paying more money than you like, you can stop at anytime.
Some platforms also allow you to post your product for testing without having to pay anything. In return, for any vulnerabilities found, points are offered that increase the users’ ranking on the platform. This helps them stand out for other researchers and get more business for themselves.
This works well if your product has anything to do with a nonprofit or a charitable cause. It can also be an option if you don’t have a large amount of money to spend, but be warned, you usually get what you pay for.
You Get Quality Feedback and Action Plans
Once a vulnerability is found, the researcher is responsible for providing a report of their findings and recommendations on how to fix it. This means you can spend less time researching security concepts and trying to learn a completely different industry, and you can just get right to fixing any bugs in your software.
Furthermore, if you want to educate yourself, you can keep those reports and learn from them so you don’t end up making the same mistakes in your software going forward.
Types of Bug Bounty Programs
There are two categories of bug bounty programs, each with different strengths and weaknesses. The option that is best for you will depend on the resources available to you and the type of software you are developing. Here I break down the differences between the two.
Public Bug Bounty
Public bug bounty programs are posted on online forums and are open to the public for testing. This type of program has the least amount of overhead because you don’t have to find and recruit specific researchers.
A public bug bounty program also gives you the most amount of feedback because of the number of people that have access to the program. This option is also more cost-effective; however, the downside is you're less likely to have deep technical experts because most of them are heavily sought after and do mostly private bounty programs.
Additionally, you’re going to have many eyes on your product. If you want to keep your product out of the public eye this may be a problem for you. Overall, for most programmers a public bounty program will be the best option because of its convenience, cost effectiveness, and the fact that secrecy isn’t a huge concern for most software.
Private Bug Bounty
Private bug bounty programs are invite-only programs that are performed by a selected group of researchers. While they have fewer people overall, the technical expertise is likely to be higher because only top researchers tend to get invited to these programs.
However, higher expertise usually means higher pay, so these programs can be more expensive. They also have higher overhead because it takes time and resources to find and recruit select researchers.
The benefit here is more expertise and less public visibility in case you are dealing with a highly sensitive or proprietary piece of software. Private programs are better for programmers with more resources or a higher than normal interest in security and privacy.
Popular Bug Bounty Platforms
There are many different platforms that offer bug bounty programs, but some are much more established than others. It's important to pick platforms based on factors like high participation, easy-to-use interfaces, and a good history. These two platforms are industry leaders in all three of these areas and have strong reputations in the industry.
- BugCrowd: Bugcrowd was founded in 2011 and is one of the biggest bug bounty platforms. It is one of the leaders in this field and has hosted bug bounty programs for some very large companies like HP, Indeed, and Motorola.
- HackerOne: HackerOne is arguably the biggest platform for bug bounty programs, rivalling BugCrowd. Some notable companies that have used HackerOne include Starbucks, Nintendo, PayPal, and Goldman Sachs.
At this point, you might be wondering about the exact steps to follow, or how bug bounties work from a practical perspective. Let’s take a closer look.
How Do Bug Bounties Work?
The exact steps will be different depending on the platform, but these are the general steps in creating a bug bounty program.
- In order to participate in a bug bounty program you need to have an element of your software that you want to test. This can be a website you're hosting, a desktop or mobile application, or even source code on GitHub. Identifying what needs testing is the first step.
- Once you identify what you want tested, you create an outline of how you want it tested. This includes what type of vulnerabilities you are interested in, what areas are off-limits to the test, and how long you want to run it. You must also decide on the price range you are willing to pay. Give as much guidance as you can, so that people will work on the aspects you are most concerned with.
- Once you have defined a scope for the test, you can follow the instructions on your chosen platform to create the posting. Once that is set up, people will be able to begin testing and sending you their findings.
- It's your responsibility to pay attention to submissions as they come in and either accept or reject them, making payouts accordingly. Payouts should be fair, to keep people engaged and reward their hard work. You should also update your post to let people know what bugs have been found, so that people do not duplicate others’ work. This wastes their time and yours.
As a developer it's a valuable skill to be able to proactively find bugs in your software or even avoid creating them in the first place. If you’re interested in learning more about how bug bounties are done, or you want to get started doing them, here are some resources you can look at.
Bug Bounty Hunting Essentials: This book is designed to be a quick-paced guide to help white hat hackers get through bug bounty programs. It teaches practical application security and skills, and techniques to perform bug bounties.
Bug Bounty Hunting for Web Security: This book focuses on finding and exploiting vulnerabilities in websites and applications. If you’re a web application developer and interested in learning how to find bugs in your software or others’, this book is a great fit for you.
Why Use Bug Bounties to Secure Your Software?
Bug bounties offer a great way for software developers to test the security of their applications at a low cost. It’s very easy to set up and doesn’t require any in-depth knowledge of security for the developer.
Bug bounties give you access to security experts who will walk you through what is wrong and how to fix it, which will make your life much easier. It has been practiced for years by large companies such as Facebook, Google, Nintendo, and many more, and is one of the best ways to get unbiased feedback on the security of your software.