Why Bug-Bounty Programs Are Failing Everyone

  /     /     /  
Publicated : 23/11/2024   Category : security


Why Bug-Bounty Programs Are Failing Everyone


In a Black Hat USA talk, Katie Moussouris will discuss why bug-bounty programs are failing in their goals, and what needs to happen next to use bounties in a way that improves security outcomes.



Its been about a decade since the hype for bug-bounty programs first started going supernova, but the jury is still out on the effectiveness of them. According to Katie Moussouris, founder and CEO of Luta Security, the average organization struggles to squeeze meaningful security results from bug bounties, and continue to wrestle with execution.
Bug-bounty programs are certainly more mainstream than ever, with bounties popular at far more than just the
big-name tech companies
now. Product security and enterprise cybersecurity professionals at a growing range of organizations increasingly turn to such programs to act as an application security backstop, often fueled by the convenience and sales machine of the growing bug-bounty platform market.
But while many organizations may start out strong with their bug-bounty programs, at about the 18-month to two-year mark they start to collapse under their own weight, Moussouris tells Dark Reading.
This collapse is typically heralded by overwhelmed, overworked program managers at these companies who are unable to keep up with the volume of bugs submitted by bounty hunters, as well as software that still remains riddled with vulnerabilities and often plagued with the most basic of security flaws.
I can tell you that bug bounties have been a great idea poorly executed for the last decade or so, says Moussouris, who will be discussing the challenges in a talk scheduled for Thursday, August 11 at Black Hat USA,
Bug Bounty Evolution: Not Your Grandsons Bug Bounty
.
I think that theres room for a ton of improvement, not just in how bug bounties are designed and executed, but also in the holistic picture of the ecosystem in which a bug bounty operates, she said.
One of the big systemic issues is the fact that many bug-bounty programs are implemented irrespective of the maturity of the underlying cybersecurity programs practices. That means asset visibility, vulnerability management, developer training, and more, says Moussouris. While bug bounties may be a great supplement to a solid base of application-security practices, some organizations mistakenly believe they can rely solely on the bounties to keep their software safe.
From our perspective, we like to say no bug-bounty Botox. We want you to be pretty on the inside, says Moussouris. We want organizations to be not just prepared to fix the bugs thrown over the fence in a vuln-disclosure program or bug-bounty program, but to be actually looking at their core security investments. [They also need to be] using bug-bounty programs as an indicator of health of their overall security program. Because if you think about it, every bug is a symptom of an underlying disorder in their security system.
Moussouris says that the issue is a systems-dynamic problem at its core. At Black Hat, she plans to explore recommendations on how security teams can design their holistic program to use bounties so that they create the deliberate security outcomes they want and which can be demonstrated in a meaningful and measurable way.
Ultimately, she believes a
bug-bounty program
shouldnt just highlight the low-hanging fruit that can be discovered from traditional application security practices, but also
provide incentives
for surfacing the complex, hard-to-find, and harder-to-exploit flaws.
Moussouris says her talk will also tackle the flip side of the bug-bounty ecosystem — namely the fact that the system doesnt serve bug-bounty hunters very well either.
Its like the worst gig economy job you could possibly get, she explains. Worse than an Uber or Lyft job, because you get paid with every gig that you take with Uber and Lyft; you do not get paid for every single bug you find if you are a bug-bounty hunter. So both sides of this marketplace have been done wrong by the commercialization as it currently exists.
Ancillary to that, shell explore what the security world needs to do to expand the marketplace for security labor, including taking a deep dive into
apprenticeship models
and building a pipeline for developing talent and education around vulnerability remediation and application security resilience.

Last News

▸ New threat discovered: Mobile phone ownership compromised. ◂
Discovered: 23/12/2024
Category: security

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Why Bug-Bounty Programs Are Failing Everyone