As you may know, bug bounty programs allow organizations to crowdsource talent from around the globe to test the security of their computer systems and report bugs and critical vulnerabilities. Bug bounty programs offer various advantages, one being cost-effectiveness as compared to hiring a penetration testing company or in-house testers that cost significantly higher. These programs offer generous rewards for discovering a vulnerability as well. That being said, it’s important to not ignore the disadvantages of these programs. Let’s have a look at some of them:

You never know what you’re up against

A bug bounty program is open for all sorts of visitors, be it blackhat or whitehat hackers, to investigate the company’s systems for vulnerabilities. This poses a threat to these already-vulnerable systems that are potentially exposed to malicious blackhat hackers who are already on a hunt for vulnerable systems and bug bounty programs may just be an announcement to lure them. The worst they can do is to try and probe beyond predetermined testing parameters and potentially compromise a secondary system. Attackers are very unpredictable and creative, so you never really know what to expect. Therefore, it’s better to be cautious. Bug bounty programs might not be the best solution for companies to find security vulnerabilities.

Bad behavior is rewarded

Though tech giants like PayPal, Microsoft, Facebook, and Google are running bug bounty programs, not all big organizations have invested their faiths in these programs. 

In fact, some believe that these programs encourage bad practices such as bounty hunters withholding the knowledge of vulnerabilities until they are paid. Also, these hunters might not have the best intentions and they might try to sell this knowledge in the black market which is often more rewarding than the legal market. 

Companies save the big bucks while hunters get paid less

If you’re someone thinking of pursuing a career as a bounty hunter, you might have to reconsider. Because what companies offer to bounty hunters is many times less than what they would offer to a full-time employee for the same amount of work and for the same time period. Bug bounty programs can be extremely helpful for large enterprises in saving costs and finding bugs and vulnerabilities to fix them, by using a defect tracking software, before releasing the next version to prevent attackers from accessing their systems. Another thing that benefits organizations are that they only have to pay out when there are results.

But for the effort bounty hunters put in to find the vulnerabilities, they get paid undeservingly low. As compared to traditional penetration tests that are performed by just a few people on the team, bug bounty programs provide a platform where a much greater number of people attempt to find bugs and vulnerabilities, by possibly using a defect tracking software. Even the company’s own customers are encouraged to give it a go.

Conclusion

Validated and remediated vulnerabilities benefit us all at the end of the day. As discussed above, bug bounty programs might not be the best solution or even sufficient to improve a company’s security since these programs have some negative aspects to them. So, before implementing a bug bounty program, companies must evaluate the pros and cons.

Comments

Leave a Reply

Your email address will not be published.

Sign In

Register

Reset Password

Please enter your username or email address, you will receive a link to create a new password via email.