Bug Bounties and Zero-Day Responsible Disclosure

By Matthew Stelnicki

Bug bounties have become a widely acceptable form of vulnerability testing within organizations of all sizes. Organizations as small as newly created start ups all the way to the Pentagon host bug bounty programs, which usually offer large rewards to participants who discover security flaws. As with anything there are two sides to this equation. While bug bounty programs may be an efficient and cost effective way to identify zero-day vulnerabilities within an environment, they also may welcome anyone to potentially access sensitive data, and may not be suitable for companies with an immature security posture.

Bug bounty programs are a great and cost effective way to test an environment. When hiring a pen-testing team companies typically pay for the entire time they are working, as opposed to bug bounties, where payments are only made in the case of successful intrusions. Most of the time is spent trying and failing and failing some more before someone can successfully find and properly exploit an issue. Financially it makes sense for an organization to take this approach to finding hard to discover issues rather than the traditional pen-testing route. 

Bounty programs also bring in large crowds with many different testing methods. This has both its ups and downs. Bringing in large crowds is a great way to test the entire environment in many different ways; however, keeping all the participants within scope can be an challenging. Even when the rules are clearly stated, participants might have the urge to go the “extra mile” or beyond the boundaries to gain access. If these participants are willing to bend the rules here, where are their limits? With a large number of security researchers and hackers performing a pen-test on a target system, it is hard to filter out the participants who have another agenda in mind. 

Outside of bug bounties, hackers and security researchers are always on the hunt for zero day bugs within organizations that can potentially be a huge threat to the public. When these vulnerabilities are found there is a process of responsible disclosure that should be followed when releasing these discoveries to the public. Typically, when a zero day bug is found all parties involved come together to discuss an appropriate period of time to resolve the issue before it is released to the public. It is important to allow the organization a chance to remediate their vulnerabilities before going public so they're reputation remains intact, and the details of their systems’ vulnerabilities are not spread to hackers with malicious intents before the fixes are made. One issue bug hunters have with notifying organizations of their zero day bugs is that they often want compensation for their discoveries. However, they are not able to force an organization into compensation since that would classify as extortion and, in a way, they then begin to become the criminals they work to help protect against. 

Bug bounty programs have proven to be a cost effective approach to intensive penetration testing of an organization with a mature security program. The programs have also gained support from those in the hacking community who believe in keeping the confidentiality, integrity, and availability of these systems for the organization and the public who depend on these systems. When properly executed, bug bounty programs work in favor of both sides by offering compensation where it is earned, and providing an incentive to those who participate to release their findings appropriately. For environments that may be less mature from a security perspective, or where compliance requirements have to be met traditional penetration testing is the better choice.