Bug Bounty – Miracle cure or marketing hype?
What can bug bounties do, and what are their limitations? Are they a panacea or just the latest IT buzzword? We try to get to grips with this new approach to IT security.
The first thing to say is that the digital world is moving faster and faster, which means developers are under mounting pressure. Agile teams, frequent updates, changes, and upgrades: they face massive challenges. Product security tends to be a secondary concern – until something goes wrong. Like when Facebook got hacked and the data of 500 million users was made public.
Then all of a sudden everyone's focused on security – including the company's management – and people start noticing things they hadn't spotted before. "A bug bounty program could have prevented all this," say those who see it as the ultimate security solution. Ethical hackers could have found the bug. Facebook would have paid the reward for spotting the vulnerability and the data leak would never have happened.
Bug Bounty is not a panacea
Many experts take a somewhat more nuanced view of bug bounties, seeing them as another piece of the puzzle when it comes to securing digital services. "There are many phases in the life cycle of digital services, so it makes more sense to carry out holistic analyses than simply relying on a bug bounty program. Bug bounties are a black box," says IT security expert Rolf Wagner. It's like someone picking up a device and shaking it around, but without opening it up to see how it works. You might find some vulnerabilities but it isn't a thorough analysis and it won't give you a complete understanding of security mechanisms.
Many bugs can be prevented through enhanced training for developers. Ensuring IT security experts are closely involved in the design of new applications is also key. Once the software has been developed, it undergoes a security audit by experts, who examine the structure and code and test the application for stability.
Getting the right mix
"A car goes through numerous tests before being put on the market," explains software expert Marcel Eyer. Reducing IT security to a bug bounty program would be like a carmaker road-testing a car only after they'd already sold 100,000 vehicles. Testing beforehand might be expensive but a product recall and the resulting reputational damage would be much more costly. "With a security audit, you can tell whether there are major vulnerabilities before a new web service is launched," says Eyer.
Of course, bugs can still go undetected even with an audit. They can also sneak in over time, since software is continuously upgraded to enhance the all-important user experience. With every update offering scope for errors, it can be very useful to call in ethical hackers – also called penetration testers – during this phase.
Bug Bounty: Making a statement
But the company has to be ready. Any bugs found need to be analyzed and fixed, and the hunters rewarded – which means creating the necessary corporate structures. But once these conditions are in place, bug bounties can really make an impact. Bear in mind that a bug bounty program isn't just a statement to the outside world ("Hey, hackers, come and see what we're made of!"); it also sends a message within the organization ("Hey, developers, we're letting the hackers loose on you!"). This pushes the often neglected issue of security further up the corporate agenda.
In turn, this has the potential to trigger a cultural shift, away from a "more and faster" mindset toward a greater focus on the quality – and security – of applications.