Security Breaches Lead to Bug Bounty Proliferation

Security and quality of service have always been important, but with digital transactions exploding and consumers becoming more sensitive to the risks of providing their personal data online, these issues have never been more important.

So it’s no surprise that organizations are becoming more aggressive when it comes to trying to thwart bugs that compromise their ability to deliver fantastic, secure experiences to their customers. One of the increasingly popular tools for identifying potential vulnerabilities before they are exploited is the bug bounty program.

Case in point: this month, Dropbox announced a bug bounty program hosted by HackerOne that provides monetary rewards to individuals who help it find critical bugs that could put its users in harm’s way.

On the Dropbox blog, Dropbox’s Devdatta Akhawe explained, “While we work with professional firms for pentesting engagements and do our own testing in-house, the independent scrutiny of our applications has been an invaluable resource for our team — allowing our team to tap into the expertise of the broader security community.”

According to Akhawe, individuals who report issues associated with a number of the company’s offerings, including its iOS and Android applications as well as its Core SDK, will be eligible to receive a minimum reward of $216 for qualifying bugs. The company has no set maximum reward and says that the highest bounties it has paid out to date were $4,913 each.

In launching a bug bounty program, Dropbox joins a growing number of companies that have sought to improve quality and strengthen security by compensating individuals for bug reports. That compensation can be significant. For example, this month, Google awarded $5,000 to a security researcher after he discovered a YouTube bug. And the Python project paid a hefty $9,000 to an individual who identified multiple integer overflow bugs capable of causing crashes.

Of course, some argue that the bounties paid actually underestimate the value of individuals’ contributions. While bounties of thousands of dollars are nothing to dismiss, the value of these bug reports to the companies could be much, much higher. In some cases, a bug report could help companies eliminate vulnerabilities that might cause hundreds of thousands or even millions of dollars in damages if not addressed soon enough.

With this in mind, companies looking to bug bounty programs will need to be realistic about their expectations and also consider the ways these programs can change motivations. Already, there are underground markets where exploits are bought and sold. Some zero-day exploits can reportedly fetch hundreds of thousands of dollars on these markets.

In an effort to disrupt the black market trade of potentially devastating exploits, Microsoft in 2013 expanded its own bug bounty program, offering up to $100,000. At the time, Katie Moussouris, a Senior Security Strategist at Microsoft, explained, “Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it.  By expanding our bounty program, Microsoft is cutting down the time that exploits and vulnerabilities purchased on the black market remain useful, especially for targeted attacks that rely on stealthy exploitation without discovery.”

Despite six figure pots of gold, underground exploit markets remain active, a reminder to companies that bug bounty programs are a part of the solution but not a panacea.

Be sure to read the next Security article: SmartBear Announces Secure Pro for Security Testing of Backend APIs