Conservative enterprises have been tentative about joining forces with hackers, but third-party bug bounty platforms have proven that their vetting process ensures a\u00a0highly qualified and trustworthy talent pool. Because security researchers are able to discover vulnerabilities and alert enterprises to flaws in applications before a breach, there is value in trusting ethical hackers.Bugcrowd\u2019s recent State of Bug Bounty report noted that many bug bounty programs are commonly run on third-party platforms that, \u201cmanage the operational end of the programs, bringing the research community together and handling the payment process, opening up the opportunity for more companies to successfully run bug bounty programs.\u201dWhile companies from Facebook and Google to Tesla and United Airlines have popularized bounty reward programs, more conservative enterprises outside of the technology industry, such as larger financial services and healthcare organizations, have not been as comfortable taking the leap of faith that the benefits of bounty programs outweigh the risks. This tentative response across industries outside of tech has led to the rise of private or invitation-only programs.[ ALSO ON CSO:\u00a0 How (and why) to start a bug bounty program ]Jay Kaplan, CEO of Synack, said that for these more conservative enterprises, it is, \u201creally important to have contractual obligations.\u201d Companies want to know who they are dealing with, and a vetting process that includes background checks and behavioral interviews can winnow down the candidate pool to the most trustworthy prospects.\u201cCandidates need to be well versed in techniques, but a vetting process has to be about both skills and trust,\u201d Kaplan said. The vast majority of enterprises want to know that the people they are dealing with can be trusted.\u201cSome companies,\u201d Kaplan noted, \u201cwill never be able to take that leap of faith that they can trust doing business with hackers who haven\u2019t gone through some screening process.\u201d Kaplan said as more success stories reveal the efficacy of private bounty programs, \u201cmore conservative organizations will adopt these measures.\u201dThere have been a lot of security successes in both public and invitation-only bounty programs. The successes run the gamut from finding criminals gaining access to files or transferring money from accounts to a variety of other serious issues that have gone undetected for months.The Bugcrowd report noted that 67.7 percent of the vulnerabilities detected in public and invitation-only programs included, among other flaws, information leakage, password recovery, lack of security headers, and authentication issues. The top six vulnerabilities that make up the remaining 32.3 percent of issues include XSS, CSRF, Clickjack, Mobile_Device, SQLI, and Mobile_Net.Bounty programs join together those who are capable of finding these and other vulnerabilities with those enterprises who need to protect themselves against criminals with malicious intent. Perhaps a different way of looking at bug bounty programs is to move beyond the connotations associated with the word \u2018hacker\u2019. \u00a0\u00a0Alex Rice, CTO and co-founder HackerOne said, \u201cThe hacking\u00a0process naturally identifies security flaws or weaknesses. The goal is to have conversations with the people who have good intentions.\u201dHacker doesn\u2019t equal criminal. \u201cA hacker,\u201d Rice said, \u201cIs anyone who thrives on how things are put together, which is IT security personnel, all the way to some with grayer backgrounds.\u201dIn 2011, Facebook decided to build and maintain a very strong relationship with the hacker community, said Rice, but they were very transparent about problems they had and looked for ways to solve those problems. \u201cThey worked at both the\u00a0reactive and proactive level, and it became an ingrained procedure to have conversations with external people about something that went wrong,\u201d Rice said.What proved to work in this intimate relationship between the hackers and the enterprise, according to Rice, was a gentleman\u2019s agreement of a responsible disclosure policy. \u00a0\u201cIt legitimizes the activity of hackers on the platform when an enterprise says, \u2018if you follow these steps and behave in good faith we will never do anything against you,\u2019\u201d Rice continued.Indeed, there are many people out there who are capable of breaking security, but \u201cThe more creative minds you have the more likely it is that they will be successful, and the more difficult it is for a criminal to compromise,\u201d Rice said.Almost all of the vulnerabilities discovered are things that can be accessed or exploited remotely, Rice said. \u00a0\u201cDeep in the code base. Someone on the inside might recognize that there might be a security flaw if all these other things are true, but bounty is somebody on the outside.\u201dMany vulnerabilities are somehow connected to the Internet. \u00a0The majority of them are web, mobile apps that run on the platform through open source. Rice said, \u201cThere is a tremendous amount of diversity that they find, so it\u2019s a challenge to try and categorize them.\u201dWhat every enterprise has in common, though, is that they are susceptible to vulnerabilities that allow someone to completely compromise a network from the outside.Marrying the powers of inside and outside talents requires a shift in thinking. It\u2019s sharing the keys, which feels downright scary for some enterprises. Rice said, \u201cThis is something that everyone has universally gotten wrong, living in this delusion that they can solve security issues by themselves.\u201d\u201cYou have to ask for help. Asking and incentivizing others to find out what you are missing. A criminal only needs to find one vulnerability, and you as the defender need to find all of them. You can\u2019t,\u201d Rice said. Bounty programs are essentially asking hundreds of other people to identify that thing they think they might have missed or they don\u2019t know that they missed.Sean Curran, director in West Monroe Partners\u2019 Technology Infrastructure and Operations practice, said,\u201cBug bounties have also led to the development of automation tools and bug identification techniques that can be used to assist with quickly identifying poor coding practices or potential vulnerabilities.\u201dThe greatest challenge with security is that very little can be categorized. Curran said, \u201cAs we continue to see an increase in the Internet of Thing market, which includes extending connectivity to devices that were traditionally never designed to be publicly accessible, we will continue to see products that lack the security controls and security maturity of traditional software products.\u201dThese evolutions in technology open more doors for vulnerabilities to go undetected. \u201cThere is no one flaw or flaw type that is missed. Each product presents a unique solution solving a unique problem. The vulnerabilities in Java differ widely from those in Internet Explorer,\u201d said Curran.It is this uniqueness that results in the challenges with identifying and resolving every bug possible, Curran noted. \u201cIf it were that simple, we wouldn\u2019t see the vulnerabilities we do today because someone would automate a solution,\u201d he continued.\u201cThe US DoD and DARPA run annual challenges that could be construed as bug bounties. They have recognized that the power of many minds looking at problems through different lenses and with different experiences can result in innovative approaches to solving a problem,\u201d Curran said.