As computer software becomes increasingly complex, serious security breaches can creep in, leaving systems and organizations vulnerable.
That's why companies large and small are turning to outside hackers and expert hobbyists to track down the errors that creep into even the best-designed software. Known as "bug bounty" programs, they are embraced by Fortune 500 companies as well as many of their smaller peers.
Hemang Subramanian, assistant professor of information systems and business analytics at FIU Business, has found that successful bounty hunters can make serious money, as much as $75,000 per instance, and more if they offer a fix. In some cases, bad-guy hackers, known as black hats, have come in from the cold and become good-guy hackers, or white hats.
"Bad guys rarely engage on legal disclosure platforms, since once identity is revealed, they can't remain a bad guy," Subramanian said.
In the January/February 2020 issue of IEEE Software, Subramanian and Suresh Malladi of the University of Arkansas explained the bug bounty best practices. In their study "Bug Bounty Programs for Cybersecurity: Practices, Issues and Recommendations," the researchers looked at 41 bug bounty specifications from a variety of companies after analyzing these documents for common and differing elements using groundedtheory analytical techniques. The distillation yielded five areas where companies should focus their best practices: scope of the bounty program; timing of participation in bug bounty programs; improving the quality of submissions; facilitating communication between organizations and bounty hunters; and fueling hacker motivation.
The researchers recommended several steps: strategizing these programs as part of new product development; engaging researchers early in testing; tying rewards to the value of bugs found and fixes suggested; and nurturing a consistent talent pool.
"The paper is about recommendations that software firms can leverage into their development practices," noted Subramanian, who once served on Yahoo's Paranoid Team as lead paranoid. "We argue that all practice areas will increase vulnerability discovery, thus making software more secure."
In a related study by the same authors, "Bug Bounty Marketplaces and Enabling Responsible Vulnerability Disclosure: An Empirical Analysis," published in the January-March 2020 issue of the Journal of Database Management, the researchers examined how bug bounty programs have created a marketplace of their own. As annual cybercrime costs reach nearly $600 billion each year, Subramanian and Malladi modeled the marketplace as a race among three actors: those who, finding a vulnerability, would exploit or sell it to bad actors; good guys, who would disclose the information to the correct company or vendor; and the vendors themselves that offer the bug bounty programs.
The study, conducted over a two-year period, examined 54 vendors that offered bug bounty programs, and revealed 533 separate vulnerabilities. The researchers found that the number of bugs discovered in a firm, and the bounties paid, are inversely correlated.
Another key finding is that security researchers self-select into bounty programs run by those firms that not only had high number of bugs historically, but also those programs offering the highest rewards per bug. Therefore, the reward size mattered more than just the number of bugs previously found, as the security researchers sought the highest rewards for expended effort.