Traditional testing methods like the penetration testing described above are only testing your systems and environment selectively at a certain point in time. But in today’s rapidly changing environment this is no longer appropriate. Also, vulnerabilities are discovered daily, so a one-time penetration test is already obsolete when you are reading the results.
Also, the result of a penetration test is often a long list of problems because such tests focus on all aspects including theoretical threats that currently are no problem but could become problems in the future. In practice this means that only some of the findings are easily actionable. A white box test is ideal for initial testing as it allows testers to get a holistic overview of your systems and infrastructure and therefore makes sure that most if not all existing vulnerabilities will be found and can be fixed.
But this is just a snapshot in time. If a new release or just a software update goes live after the test has been performed, new problems might be introduced that were not covered in the previous test. And we all know it will happen, just look at how many problems a simple operating system update introduces to your computer.
Adding a bug bounty program to them mix, your systems are tested continuously and therefore there is a very high probability that all vulnerabilities and threats are being identified.
What is a bug bounty program?
When hearing the term “bounty hunter” people usually think of the wild west where gunfighters received a bounty for hunting down “wanted” persons. A bug bounty program is similar but in the virtual world and instead of “wanted” persons bounty hunters are hunting bugs (errors, malfunctions). Here, hackers are receiving a bounty for identifying a software error as in reality all security issues are either software misconfigurations or software errors. And the more severe the error, the more generous the bounty.
Already many years ago Internet pioneers like Netscape (the de-facto web browser standard at the time) launched internal bug bounty programs inviting their employees to report any bug they could find and receive a reward for doing so. It took a while until such programs gained momentum but today many companies consider bug bounty programs as an effective addition to their security measures. The crowd intelligence of registered ethical (friendly) hackers is constantly attacking your systems abiding pre-defined rules and hackers will be rewarded with a bounty (payment) for identifying verified security issues.
In contrast to penetration testing, such a program is an outside-in, black box approach. Testers (hackers) don’t have access to source information or other company resources. They approach your systems the way criminals would do.
Therefore, the ongoing result of a bug bounty program is a much shorter list of vulnerabilities compared to a white-box penetration test, but this is a list of actual issues that could be used right now by criminals. As the list only contains actual issues it allows you to take immediate action.
Another key difference of bug bounty programs is that there is continuous checking of your systems and applications, so updates and new releases are included in the process. Organizations are sometimes hesitant to allow hackers to attack their applications but let’s be realistic – this happens in an uncontrolled way all the time so better get it done in a controlled way and discover issues before they can be exploited.
Advantages of Bug Bounty programs
They solve the “snapshot in time” issue of traditional penetration tests. With a bug bounty program, security tests take place on an ongoing basis and therefore provide continuous information about the security situation of systems and infrastructure. Therefore, you will gain uninterrupted insight into any security issues and can immediately take action to solve the problem(s).
The above usually also means faster response. A bug bounty service can provide faster and more efficient identification and resolution of security vulnerabilities since the researchers are incentivized to find and report any issues as quickly as possible.
Another advantage is the usage of collective knowledge. Bug bounty services provide you with the swarm intelligence of a large community of trusted friendly hackers. And this combined expertise will always be superior to the expertise of one or a few penetration testers. With such a service, you will be served by a community of hundreds of security researchers worldwide and gain access to a much broader range of expertise, knowledge, and backgrounds. This ensures that the risk of a cyberattack is minimized and your own experts and developers will learn from our ongoing reports and thus automatically expand their cyber security knowledge.
A bug bounty program is often more cost-effective than traditional security testing methods since it provides a way to pay for results instead of paying for time spent testing. We offer such programs to all company sizes, and they pay only for the identification of verified vulnerabilities and impactful flaws. Furthermore, we can also run such a program on a pre-defined budget and can trigger an alarm once the payment for verified vulnerabilities has reached a pre-defined threshold.
Also, running a bug bounty program can be seen as a sign of a proactive and responsible approach to security, which can be a valuable marketing and public relations tool.
Another interesting side effect is that bug bounty programs increase the internal awareness of cyber security. Neither software developers nor vendors want to be confronted with ongoing issues caused by either of them.