Crowdsourced Bug Bounty Programs: Security Gains Versus Potential Losses

Ben Sadeghipour
Ben Sadeghipour

Crowdsourced Bug Bounty Programs: Security Gains

If you could improve your business security and find and fix vulnerabilities before they can be exploited, wouldn’t you want to?

Improved security, happier customers and enhanced brand reputation are just some of the benefits of ethical hacking. The reality is vulnerabilities are found every day by security researchers, friendly hackers, customers, academics, journalists, tech hobbyists and criminals. In fact, our recent study confirmed that hackers discover a software vulnerability every 2.5 minutes. Without the hacking community on the side of organizations, these flaws can lead to cyber-attacks.

Working with the hacker community is a proven way of finding and fixing unknown critical vulnerabilities. At its most basic level, ethical hacking is fundamentally about helping organizations to improve their security posture – a ‘see something, say something’ approach, if you will. The most well-known approach to working with hackers is through bug bounty programs, during which a hacker is paid a monetary reward in exchange for reporting real-world security vulnerabilities before they can be exploited.

We are starting to see more organizations embrace the ethical hacking community, from the military through to governments and private and public organizations. Attitudes towards hackers are also becoming more positive each year. Once seen as only villains, hackers are today viewed as a global force for good, coming together to help address the growing security needs of our increasingly interconnected society. The community welcomes all who enjoy the intellectual challenge to creatively overcome limitations. Their reasons for hacking may vary, but the results are consistently impressing the growing ranks of organizations embracing hackers through crowdsourced security – leaving us all a lot safer than before.

For many organizations, working with hackers opens up a world of opportunity, as they can access a broad range of skill sets to find and fix potential vulnerabilities before the bad guys do. Hackers are typically experts in their field, relentless in their work, and they will look and view the world differently to traditional IT security experts. They can be viewed as the detectives of the internet, and their ability to think like attackers makes them a most powerful defense.

“Hacker-powered security allows businesses to leverage an entire global community to look for and find vulnerabilities”

Companies that value ethical hackers and rely on their expertise are in a better position to overcome today’s digital challenges. Unlike traditional security platforms, hacker-powered security means organizations will always have a constant set of eyes monitoring and securing their systems and applications. While some businesses may already have IT teams in place to do this, their resources are often limited. Hacker-powered security allows businesses to leverage an entire global community to look for and find vulnerabilities.

Hackers are here to bring their intelligence and grit to bear against our connected society’s toughest challenges. Today, there are organizations in the military, government and cyber-defense space all using hackers. Hacker-powered security is also advocated by leading authorities such as the UK’s NCSC.

There is no quick fix or silver bullet for cybersecurity, but organizations need a continuous security strategy as they continue to evolve, spin up new applications or launch new online services and products. This means looking to the hacking community, composed of tens of thousands of individuals with diverse skill sets, for their expertise. The more well-trained eyes scanning a company’s systems for security vulnerabilities – which attackers are seeking to exploit – the more likely and efficiently they will be discovered and reported. Fundamentally, the ethical hacking community is looking to make the internet a safer place, and organizations have an enormous potential to tap into. It may sound too good to be true, but there are many high-profile businesses that turn to the ethical hacking community such as the US Department of Defense, Deliveroo, Starbucks, Uber, Toyota, IBM and more. Many hackers genuinely have a desire to help and engage.


Alex Haynes
Alex Haynes

Crowdsourced Bug Bounty Programs: Potential Losses

Much has been written about the benefits of crowdsourced security over pen-testing, but once you gloss over the marketing, there are a lot of scenarios where crowdsourced security isn’t beneficial to you as a business.

If you’re a company that has never had a penetration test done or don’t even practice regular vulnerability scanning, then crowdsourced security will have you throwing money into the wind for no discernible benefit. Crowdsourced programs are ideal if you have a mature posture and are already doing regular pen-tests that have weeded out the easy to find vulnerabilities. This would enable you to dig out the esoteric hard-to-find critical vulnerabilities that bug bounty programs are renowned for.

However, if you’ve never done a pen test, your crowdsourced engagement will provide you with dozens of vulnerabilities, many of which would have been discovered with a simple vulnerability scan, that you now have to pay for if you opt for one of the ‘pay per vulnerability’ programs that crowdsourced companies offer. Worse still, if you have no remediation capacity to fix these dozens of vulnerabilities, then you’re just paying people to point out bugs that you cannot fix anyway. While the same could be said for a pen test, the volume of bugs you will receive in a crowdsourced engagement will be many magnitudes higher.

Nothing beats a pen test in terms of cost. We’d all like to live in a utopian world where the CISO has an unlimited budget, but if you’re a company with a limited budget, then you’ll find crowdsourced engagements unaffordable. A pen test will always be more cost effective. If you need to test a website, you’re typically charged anywhere from $800-$1200 USD a day, and a good pen-tester can get this all wrapped up within five days. If you eschew dedicated pen-testing companies and go with smaller providers or independent contractors via a pen-testing platform such as Avord, you’ll cut these costs in half. A crowdsourced program, even those with a flat fee, will cost many times more.

“Crowdsourced security propagates a highly unethical Orwellian gig economy where the majority of people are effectively working for free, and are not paid at all for their effort”

Nothing beats the convenience of a pen-tester turning up to your office in person, plugging in his laptop and going to town on your network. With a crowd, you need a mix of either proxies or dedicated VPN connections with all the chaos and complexity that ensues. Then you need to somehow control a dozen or so researchers who are all competing against each other to find bugs.

I’ve lost count of the number of times I’ve been on a crowdsourced engagement where the asset in question (website, server, etc.) just crashes due to the sheer number of people testing the target at the same time. If your assets can’t take a high traffic load, you’re going to have a poor time of it.

Offensive security suffers from a skills shortage just like every other facet of the information security workforce today. Crowdsourced security, while alleviating this somewhat by expanding the potential pool of testers to an international level, have still hit a brick wall – there is no endless pool of talent to draw from. Visit the leaderboard of the main crowdsourced platforms and you’ll find one striking similarity – they’re almost the same. The majority of the testing on all platforms is done by a select group of super researchers, some of whom do it full time. This means the majority of vulnerabilities are actually handled by the same group each time. While you may read marketing references to having ‘thousands’ of researchers, the reality is that two dozen researchers account for most of the vulnerabilities found on platforms today. As it’s entirely voluntary, you can see the problem this causes – you cannot force a voluntary workforce to test your assets when they simply don’t have the bandwidth to.

Finally, crowdsourced security propagates a highly unethical Orwellian gig economy where the majority of people are effectively working for free, and are not paid at all for their effort. They don’t get sick pay if they’re unwell, they don’t get holidays and they can spend dozens of hours on a crowdsourced engagement and come away with nothing or, even worse, can find a vulnerability that has been found by someone else and still get nothing. It’s the gig economy at its worst, all fueled by venture capital funding.

What’s Hot on Infosecurity Magazine?