Risk vs reward: how to talk about bug bounty programs

Being able to clearly articulate the problem with an understanding of current spending and ROI might help to assuage fears around bug bounty programs.

As someone who is just entering the industry, perhaps you think more progressively and are willing to consider non-traditional programs. 

Maybe, you think your enterprise would benefit from a bug bounty program, but you don’t quite know how to convince your team, your management, or your board that the risks of not investing in a bug bounty program may very well outweigh the rewards of working with an outside researcher.

Casey Ellis co-founder and CEO at Bugcrowd offers some advice on how to approach the conversation.

Bugcrowd put out a new report on the breakdown of what a bug actually costs a company, the priority that should be placed on vulnerabilities (P1 through P5), ways companies can budget for these bugs, and how a new approach is changing the security landscape.

Ellis said, “The reason for Bugcrowd was that we were looking at the existing models for vulnerability discovery and realized that automation is getting them part way through the problem but leaving a gap.”

For an enterprise, going out and hiring people has the potential to close that gap, but the market has historically been out of balance in compensation. “You have people that are paid by the hour on the defender side, but on the attacker side, it is a lot different.  They have advanced skillsets and different motivations,” Ellis said.

Ellis had customers that were seeing the benefits from Facebook and Google’s programs and decided it would make more sense to create a level playing field by building a better army for the defender side.

How do we actually budget for this? 

Because many enterprises remain tentative about doing business with hackers, there are many pricing inconsistencies in the bug bounty market. Earlier this week, Ken Baylor mentioned that a company could get a quote of $85,000 from one company and $15,000 from another for the same exact work.  

Ellis said that when enterprises hire individuals, they often are only engaging a single pair of skills which is driven by the fact that it’s a pretty fragmented market.  Indeed, there are some major players, but none are really dominant at this point.

In order to know how to budget for a bug bounty program, an organization needs to gain an understanding of its security maturity. Ellis said, “They need to know how many potential targets there are, and how much they want to initially offer.” 

Where do we start our pricing? 

The security programs in place are currently collecting lots of data, so Ellis advised, “In order to publish their initial pricing, we suggest that a company draw a line in the sand based on all of the data that they’ve collected. As they grow through the program, they can increase the size of the rewards to entice the testers deeper into the layers.”

After the first vulnerability is discovered, companies usually have that “Oh my!” moment, and will continue on with deeper testing. Ellis said, “This means that you’ve progressed in your organization. At that point you have fewer bugs.”

How do I pitch this to my team and my management?

Ellis said, “Advocates for us are usually quite progressive in how they think” because they aren’t looking to make headlines or have notable sound bites. They want to actually improve the outcomes. The question then becomes, “How do you empower the individual to tell that story? There is some stuff that is novel,” said Ellis.

In order to be taken seriously, it is most important to be able to clearly articulate the problems. “Look at it from the angle of do we feel like we are getting ROI and bang for our buck? If yes, then why are we settling for that? Is there a way we can improve?” said Ellis.

Money is a language executives and board members understand. Ellis said, “What they are asking is actually ‘here are these budget line items that we’ve had for years.  How do we get better benefit from it? How do we assess the alternatives to do vulnerability discovery?’” If you gain an understanding of what is being spent on programs that have an analogous outcome, you can broach the topic with more confidence.

In bringing the bug bounty conversation to the table, you need to be prepared for what has traditionally been the biggest hurdle for companies to get over—the perception of risk around this model.

You might find some success by weighing out risk vs reward. The risk is engaging a new idea of trusting people from the outside. To assuage those concerns, Bugcrowd has added tiers of trust, Ellis said. “If the vulnerability is there, you can’t control what an adversity is going to do, you can only control where you are vulnerable,” he continued.

Trust the skills and knowledge that got you to the job, and as Bastian so many times said to Atreyu, "Be confident!"

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)