How much is a bug worth?
1Password recently raised its top bug bounty reward from $25,000 to $100,000. They increased the amount to further incentivize researchers, according to its blog. Separately Google paid out $3 million last year for its vulnerability reward program.
But how are these figures determined?
David Baker, vice president of operations at Bugcrowd, believes these big bounties demonstrate that organizations are really starting to think about the market and where the market is pricing vulnerabilities.
“What’s a bug worth?” is a common question among organizations looking at crowdsourced security testing, he said.
“The answer will continue to evolve as the market for bug bounties matures, but the key to success remains the same — attracting the right researchers with the appropriate incentives. However, what most companies don’t realize are the various complexities that go into determining bounty payout ranges,” Baker said.
From defining scope to establishing attractive payout ranges and attracting a solid crowd of researchers to actively participate, starting a program can be complicated and become more complicated as the program matures. Here are some best practices Baker shares for scoping bug bounty programs, including how and when to raise the payouts, as well as how companies can get the most out of their programs.
- Start off on the right foot: When scoping a program initially, it’s important to underscore just how critical the scope is for the success of a program. In its simplest form, the scope tells the researchers what they should and should not test – which is critical to getting the results you want from your crowdsourced program. This extends to pricing targets as well. Put yourself in the researchers’ shoes. You know how much a particular vulnerability is worth to your company – that’s how much you should pay for it.
- Define what a bug is worth: This is one of the most important questions an organization needs to ask when creating a successful scope and it varies depending on the organization, its targets, and in some cases, on the size of its security team. As more and more companies align their business and security goals with their crowdsourced security programs, we’re beginning to see a general increase in motivation and activity amongst the crowd. By taking a critical look at and evaluating the business impact of the potential vulnerabilities as well as looking at the marketplace for bugs, an organization can correctly define what a particular bug is worth at any point in time (it can and does change).
- The right price at the right time: The security maturity of an organization is a critical factor in determining how to reward a vulnerability. An organization with a more mature security program has security-focused processes in place, and thus, vulnerabilities require more time and effort to find. For these programs, we also encourage defined program rewards for vulnerability types based on priority, but remember that it’s important to increase rewards as they make sense to your security organization.
- Creating a competitive program: The bug bounty market is growing quickly creating competition between programs, and without the proper guidance, many organizations will struggle to make their programs stand out and lose the race to get the best researchers. Staying competitive isn’t all about big cash rewards — a wide scope with interesting targets will always attract talent as is the opportunity to disclose findings. For researchers, public disclosure can be a form of prestige, demonstrating the skill or knowledge it took to find something noteworthy, as well as an educational tool to teach peers and consumers about the vulnerabilities found in the wild. It also provides career opportunities and community clout for individuals just getting started.
- Power of marketing: Don’t underestimate the power of marketing your bug bounty program. Many organizations use their bug bounty program as an opportunity to demonstrate their security posture. Increasing rewards is a great way to demonstrate just how seriously you take your organization’s and your customers’ security.
This story, “How much is a bug worth?” was originally published by CSO.