The Bug Bounty Business: How Solution Providers Are Cashing In

Is Your Customer Ready For A Bug Bounty?

The first step any solution provider faces is determining whether or not the customer is ready to set up a paid program.

Bug bounties are typically taken up by customers who are already engaged with specialized penetration testing companies, yet are still struggling to keep pace with changes in the application and infrastructure ecosystem, according to Francesco Faenzi, head of the cybersecurity business platform for Italian solution provider Lutech.

High-profile organizations with mature application security programs are typically the ones to adopt bug bounties, said Denim Group's Cornell. Straightforward or obvious business flaws should be caught through internal testing programs, he said, meaning that the only thing companies are left having to pay bounties on are serious or more subtle vulnerabilities in applications that aren't self-evident.

"Bug bounties are increasingly becoming a material portion of the testing market," Cornell said.

The first couple of security tests against an organization's ecosystem should be carried out by an individual or small number of firms prior to initiating the bug bounty, according to Andrew Howard, CTO at Phoenix-based solution provider Kudelski Security.

Customers that push the bug bounty before they're ready will be inundated with reports and end up paying out for rather obvious errors, Howard said.

Businesses should understand what their overall security environment looks like before embarking upon a bug bounty program, as well as where their potential weaknesses might be, said Lisa Wiswell, a principal at security engineering and consulting firm Grimm. The organizations should have a test environment or virtual lab space where security researchers can poke and prod the ecosystem for flaws without jeopardizing the actual corporate environment, she said.

Well under half of GuidePoint Security's customers would even consider something like a bug bounty program, said Andrew Johnson, vice president of innovative security assessments for the company, No. 134 on the 2017 CRN Solution Provider 500.

Modern, agile, web-centric companies are typically the ones looking into bug bounties, he said, as well as a handful of progressive financial services and health-care firms.

Bug bounties open to the general public are just the tip of the iceberg, though. Some 88 percent of HackerOne's programs and 77 percent of Bugcrowd's programs are actually private, meaning that only researchers that receive an invitation are allowed to participate in — or even know about — the program.

Security vendor Sophos runs both public and private bug bounties, focusing its public effort around inspecting web interfaces and its private program around products, said Craig Paradis, application security architect for the Oxfordshire, England-based security vendor. Products are a better fit for the private program since it requires more time and investment from researchers to install and reverse-engineer them, Paradis said.

Businesses often find it easier to get a private program off the ground with a small number of invited security researchers who are both vetted and more well-known, said NCC's Ruddermann.

Public programs are likely to attract a much greater volume of vulnerability submissions, which Ruddermann said many companies lack the budget or staffing to support from the get-go.

"There's a path to that maturity," Ruddermann said. "Private programs are a great place to start. And public programs might be an ideal place to end up."

bug bounty
Click to expand.

Selling Bug Bounties Outside IT

Although public programs made up just 8 percent of the HackerOne bug bounties launched in the past year, they pay bounties and resolve issues at four times the rate of their private counterparts. But they require buy-in from a much larger share of the organization to get off the ground.

Involvement in an organization's private bug bounty program is often limited to the product and security teams, according to Bugcrowd's Ellis. But with a public program, everyone from legal and purchasing to marketing and public relations must be looped in.

Security teams aren't historically the most public-facing part of an organization, Ruddermann said, and working externally in a way that attracts media attention might be new for them. As a result, he said the security teams sometimes struggle to get senior management and public relations on board with a public program. "A public program could really stress the internal bureaucracy of a company," Ruddermann said.

The biggest obstacle Lutech has encountered in getting bug bounty programs off the ground has been the purchasing office, Faenzi said. No RFP template currently exists for crowd-based vulnerability management services, according to Faenzi, and it's been difficult to fit bug bounties into the purchasing framework used for traditional penetration testing services.

Lutech therefore needs to work with organizations that have a politically strong CSO who's able to convince the purchasing office to avoid all of the RFP issues and move forward without a tender. Once Lutech's bug bounty services offering becomes more established, though, Faenzi believes the sales cycle will become shorter and far less frustrating.

"It's definitely not mainstream yet," Faenzi said.

Organizations also must establish lines of communication and set expectations with the security researcher community before launching a program, said Justin Morehouse, founder and principal at GuidePoint Security. Specifically, Morehouse said researchers must understand the time frame within which the firm expects to work.