Application security has always been a hot topic that has only gotten hotter with time. Even with a horde of defensive tools and practice at our disposal (firewalls, SSL, asymmetric cryptography, etc.), no web-based application can claim that it’s secure beyond the reach of hackers. Why is that? The simple reason is that building software remains a very complex and brittle process. There are still bugs (known and unknown) inside the foundation developers use, and new ones are being created with the launch of new software and libraries. Even the top-tier tech companies are ready for occasional embarrassment, and for a good reason.
Now hiring . . . Hackers!
Given that bugs and vulnerabilities will probably never leave the software realm, where does it leave the businesses dependent on this software to survive? How can, for instance, a new wallet app be sure that it’ll stand up against the nasty tries of hackers?
Yes, you’ve guessed it by now: by hiring hackers to come and take a crack on this newly minted app! And why would they? Just because there’s a big enough bounty on offer — the bug bounty! 🙂 If the word “bounty” brings back memories of the Wild West and bullets being fired without abandon, that’s exactly what the idea here is. You somehow get the most elite and knowledgeable hackers (security experts) to sound out your app, and if they find something, they get rewarded. There are two ways to go about it: 1) hosting a bug bounty on your own; 2) using a bug bounty platform.
Bug Bounty: Self-hosted vs. platforms
Why would you go to the trouble of selecting (and paying) a bug bounty platform when you can simply host it on your own. I mean, just create a page with the relevant details and make some noise on social media. It obviously cannot fail, right? Well, that’s a neat idea right there, but look at it from the hacker’s perspective. Jostling for bugs is no easy task, as it requires several years of training, virtually limitless knowledge of things old and new, tons of determination, and more creativity than most “visual designers” have (sorry, I couldn’t resist that one! :-P). The hacker doesn’t know who you are or is not sure that you’ll pay. Or maybe, is not motivated. Self-hosted bounties work for juggernauts like Google, Apple, Facebook, etc., whose names people can put on their portfolio with pride. “Found a critical login vulnerability in the HRMS app developed by XYZ Tech Systems” doesn’t sound impressive, now, does it (with due apologies to any company out there that might resemble this name!)? Then there are other practical (and overwhelming reasons) for not going solo when it comes to bug bounties. Lack of infrastructure The “hackers” we’ve been talking about are not the ones that stalk the Dark Web. Those have no time or patience for our “civilized” world. Instead, we’re talking here about researchers from a computer science background who are either at a university or have been bounty hunters for a long time. These folks want and submit information in a specific format, which is a pain in itself to get used to.
Even your best developers will struggle to keep up, and the opportunity cost might turn out to be too high. Resolving submissions Finally, there’s the issue of proof. The software might be built on fully deterministic rules, but exactly when is a particular requirement met is up for debate. Let’s take an example to understand this better. Suppose you created a bug bounty for authentication and authorization errors. That is, you claim that your system is free from the risks of impersonation, which the hackers have to subvert.
Now, the hacker has found a weakness based on how a particular browser works, which allows them to steal a user’s session token and impersonate them. Is that a valid finding? From the perspective of the hacker, definitely, a breach is a breach. From your perspective, maybe not, because either you think that this falls in the domain of the user’s responsibility or that browser is simply not a concern for your target market. If all this drama were happening on a bug bounty platform, there’d be capable arbiters to decide the impact of the discovery and close out the issue. With that said, let’s look at some of the popular bug bounty platforms out there.
YesWeHack
YesWeHack is a global bug bounty platform that offers vulnerability disclosure and crowdsourced security across many countries such as France, Germany, Switzerland, and Singapore. It provides a disruptive solution of Bug Bounty to tackle the threats increasing with the increase in business agility where traditional tools no longer meet the expectations.
YesWeHack lets you access the virtual pool of ethical hackers and maximize the testing capabilities. Select the hunters you want and submit the scopes to be tested or share them with the YesWeHack community. It follows some strict regulations and standards to safeguard the interests of hunters as well as yours. Improve your app security by leveraging the hunter responsiveness and minimize the time to remediation and vulnerabilities detection. You will be able to see the difference once you launch the program.
Open Bug Bounty
Are you overpaying for bug bounty programs? Try Open Bug Bounty for crowd security testing. This is a community-driven, open, cost-free, and disintermediated bug bounty platform. In addition, it offers responsible and coordinated vulnerability disclosure compatible with ISO 29147. To this date, it has helped fix over 641k vulnerabilities.
Security researchers and professionals from leading sites such as WikiHow, Twitter, Verizon, IKEA, MIT, Berkeley University, Philips, Yamaha, and more have used the Open Bug Bounty platform to resolve their security issues such as XSS vulnerabilities, SQL injections, etc. You can find highly knowledgeable and responsive professionals to get your work done quickly.
Hackerone
Among the bug bounty programs, Hackerone is the leader when it comes to accessing hackers, creating your bounty programs, spreading the word, and assessing the contributions.
There are two ways you can use Hackerone: use the platform to collect vulnerability reports and work them out yourself or let the experts at Hackerone do the hard work (triaging). Triaging simply is the process of compiling vulnerability reports, verifying them, and communicating with hackers. Hackerone is used by big names like Google Play, PayPal, GitHub, Starbucks, and the like, so of course, it’s for those who with severe bugs and serious pockets. 😉
Bugcrowd
Bugcrowd offers several solutions for security assessments, one of them being Bug Bounty. It provides a SaaS solution that integrates easily into your existing software lifecycle and makes it a snap to run a successful bug bounty program.
You can choose to have a private bug bounty program that involves a select few hackers or a public one that crowdsources to thousands.
SafeHats
If you’re an enterprise and don’t feel comfortable making your bug bounty program public — and at the same time need more attention than can be offered by a typical bug bounty platform — SafeHats is your safest bet (terrible pun, huh?).
Dedicated security advisor, in-depth hacker profiles, invite-only participation — it’s all provided depending on your needs and maturity of your security model.
Intigriti
Intigriti is a comprehensive bug bounty platform that connects you with white hat hackers, whether you want to run a private program or a public one.
For hackers, there’s plenty of bounties to grab. Depending on the company’s size and industry, bug hunts ranging from €1,000 to €20,000 are available.
Synack
Synack seems to be one of those market exceptions that break the mold and end up doing something massive. Their security program Hack the Pentagon was the major highlight, leading to the discovery of several critical vulnerabilities.
So if you’re looking for not just bug discovery but also security guidance and training at the top level, Synack is the way to go.
Conclusion
Just as you stay away from healers that proclaim “miracle cures,” please stay away from any website or service that says bulletproof security is possible. All we can do is move one step closer towards the ideal. As such, bug bounty programs should not be expected to produce zero-bug applications but should be seen as an essential strategy in weeding out the really nasty ones. Check out this bug bounty hunting course to learn and gain fame, rewards, and appreciation. Learn about the biggest bug bounty programs in the world. I hope you squash many of ’em bugs! 🙂
