The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
What is a bug bounty platform?
As mentioned in Wikipedia: “A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities”.
For instance, Company ‘A’ wants to audit/test it’s apps i.e., web & mobile apps for security vulnerabilities & bugs, it will have two options:
1. Self-host bug bounty / responsible disclosure program
2. List bounty program on bug bounty platforms like Hackerone, BugCrowd etc.
How does a bug bounty program work?
Bug bounties help connect ethical hackers and a firm’s remediation team. A single bug bounty platform allows both parties to unite, communicate, and patch bugs quickly. Bug bounty program managers track the program’s progress by recording bounty payouts, number of vulnerabilities discovered and average resolution time.
Before launching a bug bounty program, the firm sets program scope and determines whether it's private or public. Scope defines what systems are available for testing, how they will carry tests out, and how long the program will be open. Bug bounty programs can be either public or private. Private programs allow firms to make an invite-only program. Private programs aren't visible to anyone online.
Mostly programs start as private, with the option to go public when firms decide they ’re ready. Private programs help firms pace their remediation efforts and avoid overwhelming their security teams with a lot of duplicate bug reports.
Public programs can accept submissions from the entire hacker community, allowing all hackers to test a firm's assets. Because public programs are open, they frequently lead to a high number of bug reports (containing a lot of duplicates however).
Payout of each bounty is set based on the vulnerability’s criticality. Bounty prices can range from several hundred dollars to thousands of dollars, and, in some cases, millions.
Bounty programs give a social and professional element that attracts top-league hackers who are looking for community and a challenge. When a hacker discovers a bug, they submit a vulnerability report. This report shows what systems the bug impacts, how developers doing triage can replicate the bug, and its security risk level. These reports are transferred directly to the remediation teams that validates the bug. Upon validation of a bug, the ethical hacker receives payment for their finding.
Why launch a bug bounty program?
Some would say that why firms resort to bounty programs rather than hiring security professionals. Well, the answer is straightforward, some of them have their own security teams, however once we are talking about big firms like Facebook, Google, etc., they launch and develop loads of software, domains & other products continuously. With this huge list of assets, it nearly becomes impossible for the security teams to pen test all the targets.
Therefore, bounty programs may be an economical approach for firms to regularly check large numbers of assets. Plus, bug bounty programs encourage security researchers to contribute ethically to these firms and receive acknowledgment/bounties. That’s why it makes a lot of sense for big firms to use bug bounty programs.
However, for little budget firms, employing a bug bounty program won't be their best choice as they may receive loads of vulnerabilities that they can’t afford to pay for due to their limited resources.
Top bug bounty platforms
HackerOne
In 2012, hackers and security leaders formed HackerOne because of their passion for making the internet safer. As the leader in Attack Resistance Management (ARM), HackerOne closes the security gap between what organizations own and what they can protect. ARM blends the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to find and close gaps in the ever-evolving digital attack surface. This approach enables organizations to transform their business while staying ahead of threats.
HackerOne is used by big multinational companies such as Google, Yahoo, Twitter, PayPal, Starbucks, GitHub, etc. that have huge revenues and are also willing to pay large amounts to hackers.
Bugcrowd
Bugcrowd is another bug bounty platform that is a huge name in the bug bounty industry. Founded in 2011, it is one of the first, and one of the largest platforms.
Various companies trust Bugcrowd for hosting their vulnerability disclosure programs, and Bugcrowd also offers penetration testing services, and attack surface management.
Currently Bugcrowd has over 1400 bug bounty programs. It has come up with a SaaS solution that blends easily into your existing software lifecycle making it quite easy to run a successful bug bounty program.
Synack
Synack is an American technology company based in Redwood City, California. Synack's business includes a vulnerability intelligence platform that automates the discovery of exploitable vulnerabilities for reconnaissance and turns them over to the company's freelance hackers to create vulnerability reports for clients.
So, if you’re looking for not just a bug bounty service but also security guidance and training at the top level, Synack may be your way to go.
Intigriti
Intigriti helps companies protect themselves from cybercrime. It is a community of ethical hackers that provides continuous, realistic security testing to protect customer’s assets and brand.
This interactive platform features real-time reports of current vulnerabilities and commonly identifies crucial vulnerabilities within 48 hours.
Founded in 2016, Intigriti set out to conquer the limitations of traditional security testing. Today, the company is widely recognized for its innovative approach to security testing, impacting both customers’ security awareness and security researcher’s lives.
Immunefi (Focused on Web3):
Immunefi provides bug bounty hosting, consultation, and program management services to blockchain and smart contract projects.
Since its founding, Immunefi has become the leading bug bounty platform for Web3 with the world's largest bounties and payouts.
