Bug Bounties: An Overview of Their Past, Present, and Future

Bug bounties, security acknowledgements and reward programs all have strong ties to IT security today. But that wasn't always the case. In the past, public penetration testers and security researchers mostly looked out for their personal benefit without recognizing their own responsibility to the security community. The reason? In a lot of cases, the consultants and pentesters were only interested in making money. Given this self-interest, bug bounty hunters and security researchers operated outside the regular business some years ago. Organizations mostly did not want them for their expertise. But this changed with the startup of Vulnerability Labs in 2006 as first bug bounty community in the business. Looking ahead, the big questions will not be about how participants can earn individual success as a result of bug bounty programs. The questions will mainly be about how much the bug bounty sector can help address organizations' security concerns. In an interview with Softpedia, the CEO of Vulnerability Labs reflects on these issues:

"The greatest fear of the security industry is that the private industry (like us) jumps into the market to show what they missed or completly ignored for years. Sometimes the security industry needs to change the tactics of prevention to secure the most important infrastructures."

Today, there are three big players (Bugcrowd, Vulnerability Labs and HackerOne) that are active in the market with stable bug bounty disclosures and public security acknowledgements. It is very hard for new players to integrate their programs globally because of invisible restriction, network zones of the scene, required capabilities and, of course, capital investment. Some of the public programs use rented commercial ticket or sales systems for management with integrated plugins, while others employ an unique developed environment. Regarding the researcher's perspective, some programs have resources like videos, documents and independent programs, while others don't own the copyright to display more than a researcher ticket. Overall, each community should build a castle thats of worth for others in the community. The goal of any bug bounty program is to get participants to not focus only on money and influence. At the same time, the goal of each company in that sector is mainly to build a stable environment for the different layers, as well as to ensure they can cover multiple services like monitoring, coordination, customer programs, acknowledgements and the basic office logistics. Depending on the model, the success depends and will become visible within the next years. Most people believe that the commercial programs with sales-teams and investors may crash at some point because of an incomplete business model. The independent programs have, for example, less money to move their developments but they can raise to the top of a business quickly if organizers build an independent environment. The companies with such models are very unique and not connected, restricted, or regulated by any contractor. The movability of each model has his success, but there is a clear difference between the independent and the commercial parties. In the near future, new development processes and services will become public. These resources will help to decentralize the full commercialized system back to the roots with new models and design. Therefore, all the major bug bounty platforms are working on developing new functions and programs. Everybody is excited for the near future; I can't wait to see what it has in store.  

Image

About the Author: Benjamin Kunz Mejri is a German IT security specialist and penetration tester. His research interests include vulnerabilities in computer systems, bug bounties, the security of e-payment services, and the protection of privacy. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.