New data-driven businesses are mushrooming, organizations across industries are embracing technological advancements, and cybercriminals are getting more sophisticated. Cybercrime rates are growing, and with further growth of such crimes expected.
Despite the astonishing number of cybercrime categories, however, the perception of risk per se seems to be the heart of the problem. Being entranced by digital tech, too many companies estimate the cost of being a victim to be low, and readily accept the risk. Many people see data breaches as a cost of doing business.
In October 2018, HackenProof held an onsite bug bounty marathon called HackenCup. The event gathered 25 talented hackers from around the world to search for vulnerabilities in three products. The ride-sharing service Uklon was one of them.
The team of ethical hackers found four major vulnerabilities that could lead to a vast array of serious issues. By the end of the day, the hackers submitted 74 reports, which both shocked and excited Uklon’s founder.
Uklon is not alone in discovering the benefits of bug bounty programs. After the Marriott hack, Hyatt Hotels launched its bug bounty program. Here’s why your organization should get proactive with bug bounties.
Bug bounty: Advantages and challenges
You might remember the story of Frank Abagnale, probably the most talented fraudster in history, who ended up helping the FBI and other law enforcement agencies uncover fraudulent schemes. The idea is to fight fire with fire: Abagnale knows the psychology of criminals and their “craft” better than anyone.
This is what a bug bounty program is about: Ethical hackers help businesses detect vulnerabilities before the bad guys beat them to it. In other words, running a bug bounty program is getting ahead of the game by being proactive and predictive. A bug bounty is an alternative way to detect software and configuration errors that can slip past developers and security teams, and later lead to big problems.
But it’s important not to over rely on bug bounty programs. Since these programs are incremental, they don’t eliminate the necessity of securing software development system scans or testing.
Unlike traditional penetration testing services that generate a culture of fear and meeting compliance requirements, bug bounties are about creating a culture of openness, transparency, and responsibility. Even if your company doesn’t offer bug bounties, you need to establish a vulnerability disclosure policy as soon as possible.
Another term for this is responsible disclosure policy: A legal statement stating that your company won’t prosecute ethical hackers who detect vulnerabilities in your products. Startups and young organizations that haven’t adopted such policies are missing out.