Facebook recently announced Hacker Plus, a loyalty program for its bug bounty program. As per the company’s claim, it is the first of its kind program, built on the loyalty programs issued by airlines and hotels.
The social media tech giant will now evaluate users’ performance based on cumulative quantity, score, and signal-to-noise ratio of the bugs submitted over a period of a year. As soon as the bug is submitted, the user is then included and ranked on the Hacker Plus loyalty program. Based on their scores, the bug hunters will be placed into one of the five categories — Bronze, Silver, Gold, Platinum, and Diamond. ‘Bug hunters’ in each of these categories will be receiving a bonus over their bounty amounts, for example, bronze league members will receive 5% bonus, while diamonds will receive a 20% bonus.
This step by Facebook further incentivises the bug hunting by external players, encouraging more participation and also reflecting more investment from the organisational point of view. Facebook’s case is not an isolated one. As per a February 2020 report from HackerOne, its popularity has soared in the past few years. In 2019, hackers collectively earned $40 million from such bug-hunting programs; this amount is almost equal to the total bounty received for all the preceding years combined. Its increasing popularity brings forth a very pertinent question — Are companies getting more reliant on bug bounty programs as security and compliance strategy? If yes, how effective is it?
How Do Bug Bounty Programs Plug Loopholes
A bug bounty program is an initiative through which organisations provide rewards to external security researchers for identifying and reporting vulnerabilities and loopholes in their public-facing digital systems. While a few of these programs are invite-based, most of these initiatives are open for all. Once the loophole is identified, the researcher is then required to submit a proof of concept with their report to the concerned organisation.
As per the Data Breach Report 2020, it takes an average of 280 days for an organisation to identify a security breach. This gives an attacker ample time to prey upon their target’s most important assets. It is where the role of an external or a third party ‘bug-hunter’ comes into play. These programs work as a proactive approach for the organisation towards their security efforts. In their absence, organisations will be just forced to assume a reactionary stance where they wait for the attacker to attack and only then fix the underlying vulnerability.
Security and Compliance Issues
While Bug Bounty Programs help organisations in their security and compliance strategy, they also have a few downsides:
Firstly, these programs attract all sorts of users and researchers. They could be both whitehat or blackhat hackers. It doesn’t help the case much as the blackhat hackers are already on a prowl to hunt for vulnerability and the further announcement of a bug bounty program may draw them to a previously unknown target. In a worst-case scenario, the blackhat hackers may go up and beyond the predetermined testing perimeters to compromise a secondary system.
Another major shortcoming of a bug bounty program is that nobody really has the complete ownership of the project. Unlike a penetration test where a dedicated resource is assigned to the project which in turn uses a specific methodology to review the testing scope from all ends, the bug hunters get rewarded per-bug basis; thus nobody can really certify whether all risks have been identified and reviewed.
Lastly, a set of poorly written legal rules and a scoop of the bounty program may give rise to potential legal threats. The organisation needs to draft clear rules to avoid ambiguity at later stages and also make sure that the researcher goes through these rules beforehand. The last thing we need is running into legal trouble due to undefined framework.
In the past, these bug bounty programs have led to uncovering some of the most critical bugs in organisations’ set-up. Such initiatives have helped in identifying and fixing issues pertaining to cross-site scripting flaws, improper authentication, privilege escalation, among other issues, classified as ‘critical’ or ‘high’ severity.
However, organisations mustn’t think of it as a one all and be all solution for their security issues. In the absence of a comprehensive security plan, organisations will not be able to monitor vulnerabilities more effectively. At best, these bug bounty programs can be thought of as complementary to already robust in-house security solutions.