Bug bounty programmes made easy

At Business Reporter, we publish a website about cyber-security, teiss.co.uk. Needless to say, hackers are constantly trying to break it.

Keeping Business Reporter and teiss safe is important. We don’t want people publishing unauthorised content or hackers stealing the contact details of our subscribers.

However, as for any small business, it is very hard to find the time and resources needed to keep it secure. New weaknesses of popular publishing platforms such as WordPress (which we use) are always coming to light. It’s hard to keep up, and we can never be totally sure that we have found all the potential bugs or security weaknesses.

Then we came across bug bounty and realised that tracking down bugs in our systems would be less troublesome than we first thought.

Bug bounty programmes offer rewards to ethical hackers who discover bugs or security weaknesses. They are often run by big software publishers such as Microsoft so they can fix these issues before they’re discovered and exploited by the bad guys.

Companies often hire a team to test the security of their website or system before deployment. But what happens when new features or updates are pushed? What about the bugs or weaknesses that these teams miss?

This is why it makes sense to sign up to a bug bounty programme to ensure the system gets tested by a vast range of freelance security experts, not just one team. Bug bounty programmes also ensure that the system is always being tested, not just at one point in time. This ensures bugs introduced by new features or updates get caught and fixed before they get exploited by black-hat hackers.

An ethical hacker is a security expert skilled in testing the security of websites, mobile apps and IT systems to identify bugs and vulnerabilities. These professional bounty hunters employ the same techniques used by black-hat hackers, but do so legitimately with the permission of the owner. This helps identify and resolve any vulnerabilities before they are found by hackers who are rather less ethical.

Many companies attempt to run their own bug bounty programmes, but finding and managing a team of freelance hackers isn’t simple. Are they ethical? Are they skilled? Will they be bothered to work for you? And are the bugs that they uncover genuine problems?

This is why even huge companies like Amazon do not run their own bug bounty programmes in-house, choosing to run them through a bug bounty platform. However, these bug bounty platforms are very expensive to start with as they are geared towards such big companies. And that’s where bug bounty comes in.

The bug-bounty.com service is aimed at small and medium-sized businesses such as Business Reporter, that don’t have the time, budget or resources to build and maintain their own ethical hacking teams. Their service gives companies such as ours access to a large number of experts who can probe our defences and look for vulnerabilities.

We pay a small monthly fee, with no set-up costs, and the hackers are rewarded when they discover a new bug. More on how they are rewarded in a moment.

Bug bounty also employs its own team of ethical hackers to review and validate the submitted bugs, and only forward valid problems to us. If the bug isn’t real, or if it has already been fixed by a software update, we don’t get notified because it isn’t going to affect us.

Not at all! Giving security freelancers free rein of your systems may seem counterintuitive or even risky at first, but these skilled ethical hackers work with your permission and within pre-agreed constraints and conditions. For example, the freelance hackers will be contractually obliged not to keep any sensitive customer data that they might uncover.

It’s important to keep in mind that you are not giving these ethical hackers any advantage over other internet users. All you are doing is agreeing with them that if they find a hole in your defences, they won’t exploit it, and you will reward them for telling you about it.

Every organisation needs this type of service. Like many smaller companies, we use standard software provided by major companies. Most of the time, that software is going to be relatively secure if it’s set up securely. However, a lot of major data breaches are caused by oversights and misconfigurations.

Working with bug bounty means that even if we haven’t set up our systems 100 per cent perfectly, we’re limiting our risk of a data breach by ensuring our systems are regularly tested by experts. As mentioned earlier it also ensures that new updates and new features are tested.

Freelance ethical hackers have a variety of motives. Some simply enjoy searching for bugs, while others do it for the money. Google paid out £5 million in total to ethical hackers last year, with the largest single reward being about £100,000.

That’s a lot of money – more than we can afford. But with bug bounty, it’s up to us how much compensation we offer. Too little, of course, and most security experts won’t bother to help us, but it needn’t be expensive. Many freelance ethical hackers are building a career and finding a bug that is validated as genuine adds to their CV.

Instead of paying out a small monetary reward for finding a bug, some companies may prefer to pay with “points” that are displayed on a leaderboard. This method of gamification encourages competition among bounty hunters, leading to even more vulnerabilities being found.

Why did we sign up for this service? Simple. We are warned about genuine vulnerabilities in our IT systems. Each bug we are notified about has been validated by professionals, so there are no false alarms to waste our time. In addition, it doesn’t cost the earth. We just pay a small monthly fee plus a little extra each time a serious bug is found.

To find out more about how the service works and sign up, contact Bug Bounty

Originally published on Business Reporter