Reporter’s Briefing: Bug Bounties and Vulnerability Disclosure Programsby Yael Grauer August 27, 2018
As large-scale data breaches continue to proliferate, many companies are crowdsourcing their security in hopes of fixing system vulnerabilities before attackers exploit them. Many companies offer bug bounties to reward security researchers with cash prizes for finding critical bugs. Other companies offer vulnerability disclosure programs to allow researchers to report bugs and receive recognition, typically in the form of kudos or points.
Bug bounty programs and vulnerability disclosure programs are just one part of a company’s security practices, which are typically combined with in-house security professionals, pen testing by outside agencies, and automated vulnerability scanners or tools.
Here are several ways to incorporate bug bounties and vulnerability disclosures into regional reporting:
Profiles of local bug bounty hunters
Although some hackers are media-shy, others will gladly share stories about the craziest bugs they’ve found or biggest payoffs they’ve received. One way to find people to reach out to is to comb through user profiles on leaderboards on sites like BugCrowd or HackerOne. Or, look for bug bounty hunters at tech meetups or when visiting your local hackerspace.
Patching Disclosed Vulnerabilities
Once companies get vulnerabilities disclosed to them, they need to figure out a way to actually fix them in their code. This can be more of a challenge for companies or those with fewer financial resources and a smaller workforce, though a new platform called Federacy is starting to roll out a bug bounty program for startups.
Local reporters can zoom in on the specific strategies smaller companies use to set up their programs in a way that scales. It may be useful to dig into the actual programs themselves.
Which types of bugs are considered legitimate vulnerabilities? Which are most valuable to the company? What behavior disqualifies people from receiving recognition or payouts?
Battle of the Bounties
Sometimes a company within a given industry will have a much more progressive bug bounty program (or responsible disclosure program) than its competitors. Consider looking into the industry that’s the biggest employer in your region to see if there are large discrepancies between these programs.
Responses to Vulnerability Disclosures
Security researchers that reach out to small companies often find themselves facing threats of lawsuits. This is particularly true if the companies don’t have any kind of bug bounty program or vulnerability disclosure program, or if the company believes the researcher did not comply with the terms of its program. However, even clear-cut security disclosure rules on a company’s website often conflict with the site’s terms and conditions, which can lead to legal conflict.
If a company is suing or threatening to sue a security researcher for Computer Fraud and Abuse Act (CFAA) violations, or a similar state law, it may be worth digging into whether or not that company has a security disclosure program or bug bounty program, and whether or not the security researcher believes that they followed any guidelines offered. Disclose.io is a new project that hopes to standardize definitions regarding project scope, establish official communication channels, and formalize disclosure policies to protect security researchers acting in good faith.