• October 14, 2016

Paying to Get Hacked: Bug Bounties for Improved Cybersecurity

A hacker could be your newest asset in finding security flaws.

Sometimes the only way to solve a security threat is to take the exact action you’re trying to prevent: Hack the system.

Hack the Pentagon

This spring, the Pentagon invited the public to try to hack certain public-facing, non-classified systems, offering cash prizes to those who managed to find bugs.

The Hack the Pentagon program registered more than 1,400 white hat hackers, and more than 250 submitted at least one vulnerability report, wrote Ash Carter, U.S. Secretary of Defense, in a blog post about the program. “The results exceeded our expectations,” he said.

Of the submissions, 138 were determined to be legitimate, unique, and eligible for a bounty, Carter wrote. A little more than a month after this pilot program wrapped up, every vulnerability discovered by hackers was found and remediated, according to Carter.

The program was cost-effective. “This pilot cost $150,000,” Carter wrote. “It’s not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million.”

This was the first time the U.S. government offered monetary awards to outsiders to find IT security bugs. The Department of Defense took the idea from the private sector, where companies including Google, Western Union, Tesla Motors, and United Airlines, among others, have used the tactic to improve enterprise network security.

Bug Bounties All Around

Bug bounty programs have proven their worth and are on the rise, according to “State of Bug Bounty Report” by cybersecurity firm Bugcrowd. Researchers discovered 729 high-priority vulnerabilities by using bug bounty contests over the last two and a half years. Bug bounties can save enterprises hundreds of thousands of dollars by detecting weaknesses before new systems are deployed, the study said.

Bugcrowd and HackerOne, which were hired by the Pentagon, are two companies that provide platforms and a crowd of security researchers to perform bug bounty programs. They conduct background checks of the hackers they engage with to ensure no cybercriminals are involved. This is a critical point to the growth of bug bounties.

Learning to Trust

In the past, a lot of enterprises didn’t trust using hackers, a group of skilled IT people many feared could have criminal intent. “Different bug bounty providers have different vetting processes for winnowing out those who are deemed less trustworthy,” notes CIO.com. Enterprises considering bug bounty programs should scrutinize providers’ vetting methods to find one that best matches their needs and comfort level.

Having outsiders prod your organization’s cyber defenses to pinpoint vulnerabilities brings a new perspective to enterprise network security. Also, with IT security specialists in short supply, bug bounties, in effect, can supplement IT security manpower.

Hewlett Packard Enterprise has used this tactic successfully for several clients. Conducted responsibly, a bug bounty pays off and helps strengthen enterprise architecture security.

Like this story? Learn more about how protection is the new prevention in cybersecurity and security services that keep you a step ahead.