Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
Against the backdrop of a constant increase in cyberattacks and a shortage of professional personnel in the field of information security, more and more organizations are coming to the need to launch bug bounty programs. Such programs allow attracting thousands of freelance security researchers to search for vulnerabilities in IT infrastructure, software, and web applications. At the same time, customers pay only for the actual result - the vulnerabilities found, and not for the time spent on their search. Depending on the conditions and capabilities, organizations can launch bug bounties independently or on specialized platforms.
Positive Technologies research shows that IT companies, online services, the service sector, trade and financial organizations are among the leaders in using vulnerability search platforms. Analysis of the results of the Russian bug bounty platform Standoff also revealed that government agencies rank second after IT companies in the number of bug bounty programs launched. In Russia, the interest of government agencies may become a driver of growth in the bug bounty market.
At the same time, the analysis of the domestic bug bounty market indicates great potential for growth. The advantages of this method of security verification have not yet been realized by all important industries. For example, fuel and energy companies or developers are still rare guests of bug bounty platforms, not to mention small and medium-sized businesses. At the same time, this situation is not only due to objective difficulties, but also due to the misconceptions about bug bounty that exist in the business community. Let's look at the most important of them.
Some companies still believe that vulnerabilities indicate security shortcomings and low levels of information security competence among employees. The management of such organizations fears that the mere recognition of vulnerabilities and risks will damage their reputation.
In fact, the question here is only who will find vulnerabilities in your infrastructure faster - attackers or information security researchers. Absolutely secure systems simply do not exist. Until cybercriminals actually hack you, you need to act proactively: launch bug bounty programs and involve specialists to find and then close the gaps. It is not shameful to admit the presence of a vulnerability, it is shameful to ignore the problem and put your clients and partners at risk.
Hacking usually requires a passion. For some, it may be just a hobby, for others, it may be their main source of income. In any case, searching for and discovering vulnerabilities gives the researcher pleasure. And, as a rule, they have a sense of responsibility.
Any organization needs an external security check. Experts usually recommend penetration testing, or pentesting, first, which is a simulation of real attacks by intruders. This legal and fully controlled hacking allows you to identify which techniques have been successful, so that based on these results you can build a security system, organize monitoring, and promptly respond to incidents.
When entering a bug bounty, many companies (due to the desire to play it safe and study the process more thoroughly) often start by launching closed programs. In this case, you can select specialists who meet the specified requirements, or invite the most advanced researchers.
In reality, there is simply no point for attackers or black hat hackers to register on the platform and earn ratings to gain access to closed programs - that way they risk being exposed.
Most often, various online services, websites, social networks and other systems that are already available on the Internet are put up for bug bounty. Perhaps, attackers have already scanned them and can hack them. Bug bounty in this regard does not give any advantage to the attacker who decided to register on the platform.
In addition, a community of ethical hackers is formed around bug bounty platforms, and direct communication is established between vendors and bug hunters.
This is where specialized bug bounty platforms come to the rescue, providing all the necessary infrastructure for effective vulnerability search programs, helping to establish interaction with researchers, and providing expert support. The most important thing is that clients pay only for the result: the size of the reward depends on the degree of danger of the vulnerability, and not the time spent on its search. Thus, bug bounty on platforms, allowing companies to prevent costly hacks, turns out to be an accessible and profitable solution for small and medium businesses.
According to Positive Technologies, the starting cost of the bug bounty program (including determining the boundaries of the research and pricing policy) is calculated individually and depends on the type of activity, size and capitalization of the client company. A subscription to the platform also includes attracting researchers, infrastructure for receiving reports and generating analytics, checking reports and verifying vulnerabilities. The average cost of a subscription to bug bounty services is 1.4 million rubles per year, and the average platform commission is about 15% of each payment.
Before launching a bug bounty, experts advise getting rid of vulnerabilities that can be quickly found by scanning the infrastructure, saving budget.
In addition, it is worth considering that bug hunters are not always only hungry for money: they can also be attracted by charity, recognition of their own merits and understanding of the importance of the services they are investigating. Often, ethical hackers are more willing to investigate those applications, services and sites that they are truly interested in. In this case, their motivation is simple: they want what they themselves, their family members or friends use to work flawlessly, and the data they leave on their favorite resources to remain safe. Therefore, with successful positioning, even programs with a small budget can become successful.
There is no silver bullet, but the modern concept of effective security, which includes threat prioritization, allows the organization to focus on the most important of them - unacceptable events . The list of such events should be determined by the company's management together with information security specialists. The main idea of this approach is to protect the most important and valuable assets, the negative impact on which can lead to a change in the operational and strategic goals of the organization or a long-term disruption to its core business.
Financial losses and reputational damage are examples of universal unacceptable events. However, different types of organizations may have their own, specific to them or their industry: for example, production shutdowns for industrial enterprises, service disruptions for government agencies, or website defacements for the media.
Experts are convinced that the future of bug bounty is not just about finding vulnerabilities, but about exploring the most dangerous scenarios for organizations. In this case, bug hunters identify and help close not just a single gap, but entire chains of errors that lead to unacceptable consequences.
On the Standoff Bug Bounty platform, programs focused on unacceptable events are allocated to a separate category with an increased reward. Positive Technologies was the first to launch such a program — Positive Dream Hunting. In it, the company first defined one unacceptable event for itself — theft of funds from accounts, and then added a second one — the introduction of conditionally malicious code into its products. A record reward of 60 million rubles was set for the implementation of each of the two scenarios this year. And the Innostage company is ready to pay up to 5 million rubles for a similar scenario.
Bug bounty platforms — aggregators that collect programs from various organizations — help overcome the difficulties that organizations face when they decide to launch vulnerability search programs. Such platforms allow security researchers to choose the project they are interested in, and help client companies choose target applications, testing systems, and research boundaries. They also take on all the main work of interacting with researchers and verifying their reports. This allows IT departments of companies to focus on improving applications and systems.
However, to fully appreciate the benefits of bug bounties, it is also important for organizations to overcome their own prejudices and misconceptions, and to reconsider their attitudes toward hacking and security researchers.
Source
Positive Technologies research shows that IT companies, online services, the service sector, trade and financial organizations are among the leaders in using vulnerability search platforms. Analysis of the results of the Russian bug bounty platform Standoff also revealed that government agencies rank second after IT companies in the number of bug bounty programs launched. In Russia, the interest of government agencies may become a driver of growth in the bug bounty market.
At the same time, the analysis of the domestic bug bounty market indicates great potential for growth. The advantages of this method of security verification have not yet been realized by all important industries. For example, fuel and energy companies or developers are still rare guests of bug bounty platforms, not to mention small and medium-sized businesses. At the same time, this situation is not only due to objective difficulties, but also due to the misconceptions about bug bounty that exist in the business community. Let's look at the most important of them.
Does everyone have vulnerabilities?
As a study by Positive Technologies showed, in 2022–2023, only 14% of all software manufacturers responded promptly to vulnerabilities discovered by researchers and released updates in the shortest possible time.Some companies still believe that vulnerabilities indicate security shortcomings and low levels of information security competence among employees. The management of such organizations fears that the mere recognition of vulnerabilities and risks will damage their reputation.
In fact, the question here is only who will find vulnerabilities in your infrastructure faster - attackers or information security researchers. Absolutely secure systems simply do not exist. Until cybercriminals actually hack you, you need to act proactively: launch bug bounty programs and involve specialists to find and then close the gaps. It is not shameful to admit the presence of a vulnerability, it is shameful to ignore the problem and put your clients and partners at risk.
Is all hacking bad?
The next misconception is related to the prejudices common in society and the business environment regarding hackers and hacking as a type of activity to find security flaws. Many companies simply do not realize the real benefit of cooperation with information security researchers or, as they are also called, bug hunters. These specialists are the same hackers, but white: they openly and legally search for vulnerabilities in the infrastructure, products and services of companies for a fair reward.Hacking usually requires a passion. For some, it may be just a hobby, for others, it may be their main source of income. In any case, searching for and discovering vulnerabilities gives the researcher pleasure. And, as a rule, they have a sense of responsibility.
Any organization needs an external security check. Experts usually recommend penetration testing, or pentesting, first, which is a simulation of real attacks by intruders. This legal and fully controlled hacking allows you to identify which techniques have been successful, so that based on these results you can build a security system, organize monitoring, and promptly respond to incidents.
When entering a bug bounty, many companies (due to the desire to play it safe and study the process more thoroughly) often start by launching closed programs. In this case, you can select specialists who meet the specified requirements, or invite the most advanced researchers.
Are all hackers equally scary?
The third misconception is closely related to the previous one. Its essence is that the errors found in the bug bounty will allegedly be used against the companies themselves.In reality, there is simply no point for attackers or black hat hackers to register on the platform and earn ratings to gain access to closed programs - that way they risk being exposed.
Most often, various online services, websites, social networks and other systems that are already available on the Internet are put up for bug bounty. Perhaps, attackers have already scanned them and can hack them. Bug bounty in this regard does not give any advantage to the attacker who decided to register on the platform.
In addition, a community of ethical hackers is formed around bug bounty platforms, and direct communication is established between vendors and bug hunters.
Is it expensive?
The next common misconception is that bug bounties are an expensive luxury available only to large organizations with large budgets for information security, while small and medium-sized businesses simply cannot afford such luxury.This is where specialized bug bounty platforms come to the rescue, providing all the necessary infrastructure for effective vulnerability search programs, helping to establish interaction with researchers, and providing expert support. The most important thing is that clients pay only for the result: the size of the reward depends on the degree of danger of the vulnerability, and not the time spent on its search. Thus, bug bounty on platforms, allowing companies to prevent costly hacks, turns out to be an accessible and profitable solution for small and medium businesses.
According to Positive Technologies, the starting cost of the bug bounty program (including determining the boundaries of the research and pricing policy) is calculated individually and depends on the type of activity, size and capitalization of the client company. A subscription to the platform also includes attracting researchers, infrastructure for receiving reports and generating analytics, checking reports and verifying vulnerabilities. The average cost of a subscription to bug bounty services is 1.4 million rubles per year, and the average platform commission is about 15% of each payment.
Before launching a bug bounty, experts advise getting rid of vulnerabilities that can be quickly found by scanning the infrastructure, saving budget.
In addition, it is worth considering that bug hunters are not always only hungry for money: they can also be attracted by charity, recognition of their own merits and understanding of the importance of the services they are investigating. Often, ethical hackers are more willing to investigate those applications, services and sites that they are truly interested in. In this case, their motivation is simple: they want what they themselves, their family members or friends use to work flawlessly, and the data they leave on their favorite resources to remain safe. Therefore, with successful positioning, even programs with a small budget can become successful.
Is it possible to protect yourself from everything?
The fifth misconception is related to the belief that it is impossible to protect yourself from all possible cyber threats. In practice, this is true, but the problem here lies in the wrong approach, because you don’t need to protect yourself from everything.There is no silver bullet, but the modern concept of effective security, which includes threat prioritization, allows the organization to focus on the most important of them - unacceptable events . The list of such events should be determined by the company's management together with information security specialists. The main idea of this approach is to protect the most important and valuable assets, the negative impact on which can lead to a change in the operational and strategic goals of the organization or a long-term disruption to its core business.
Financial losses and reputational damage are examples of universal unacceptable events. However, different types of organizations may have their own, specific to them or their industry: for example, production shutdowns for industrial enterprises, service disruptions for government agencies, or website defacements for the media.
Experts are convinced that the future of bug bounty is not just about finding vulnerabilities, but about exploring the most dangerous scenarios for organizations. In this case, bug hunters identify and help close not just a single gap, but entire chains of errors that lead to unacceptable consequences.
On the Standoff Bug Bounty platform, programs focused on unacceptable events are allocated to a separate category with an increased reward. Positive Technologies was the first to launch such a program — Positive Dream Hunting. In it, the company first defined one unacceptable event for itself — theft of funds from accounts, and then added a second one — the introduction of conditionally malicious code into its products. A record reward of 60 million rubles was set for the implementation of each of the two scenarios this year. And the Innostage company is ready to pay up to 5 million rubles for a similar scenario.
Conclusions
Bug bounty programs allow you to implement the most promising crowdsourcing approach to security. With their help, companies can attract thousands of information security professionals to search for and close vulnerabilities, as well as study scenarios for the implementation of unacceptable events. Bug bounties also have such important advantages as focus on results, continuous testing, flexibility and scalability, and a transparent reward system.Bug bounty platforms — aggregators that collect programs from various organizations — help overcome the difficulties that organizations face when they decide to launch vulnerability search programs. Such platforms allow security researchers to choose the project they are interested in, and help client companies choose target applications, testing systems, and research boundaries. They also take on all the main work of interacting with researchers and verifying their reports. This allows IT departments of companies to focus on improving applications and systems.
However, to fully appreciate the benefits of bug bounties, it is also important for organizations to overcome their own prejudices and misconceptions, and to reconsider their attitudes toward hacking and security researchers.
Source
