Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Risk vs reward: how to talk about bug bounty programs

Kacy Zurkus | Feb. 3, 2016
Casey Ellis, co-founder and CEO of Bugcrowd Inc., offers some advice for security newbs on how to broach the topic of bug bounty programs.

Bug bounty

As someone who is just entering the industry, perhaps you think more progressively and are willing to consider non-traditional programs. 

Maybe, you think your enterprise would benefit from a bug bounty program, but you don't quite know how to convince your team, your management, or your board that the risks of not investing in a bug bounty program may very well outweigh the rewards of working with an outside researcher.

Casey Ellis co-founder and CEO at Bugcrowd offers some advice on how to approach the conversation.

Bugcrowd put out a new report on the breakdown of what a bug actually costs a company, the priority that should be placed on vulnerabilities (P1 through P5), ways companies can budget for these bugs, and how a new approach is changing the security landscape.

Ellis said, "The reason for Bugcrowd was that we were looking at the existing models for vulnerability discovery and realized that automation is getting them part way through the problem but leaving a gap."

For an enterprise, going out and hiring people has the potential to close that gap, but the market has historically been out of balance in compensation. "You have people that are paid by the hour on the defender side, but on the attacker side, it is a lot different.  They have advanced skillsets and different motivations," Ellis said.

Ellis had customers that were seeing the benefits from Facebook and Google's programs and decided it would make more sense to create a level playing field by building a better army for the defender side.

How do we actually budget for this? 

Because many enterprises remain tentative about doing business with hackers, there are many pricing inconsistencies in the bug bounty market. Earlier this week, Ken Baylor mentioned that a company could get a quote of $85,000 from one company and $15,000 from another for the same exact work.  

Ellis said that when enterprises hire individuals, they often are only engaging a single pair of skills which is driven by the fact that it's a pretty fragmented market.  Indeed, there are some major players, but none are really dominant at this point.

In order to know how to budget for a bug bounty program, an organization needs to gain an understanding of its security maturity. Ellis said, "They need to know how many potential targets there are, and how much they want to initially offer." 

Where do we start our pricing? 

The security programs in place are currently collecting lots of data, so Ellis advised, "In order to publish their initial pricing, we suggest that a company draw a line in the sand based on all of the data that they've collected. As they grow through the program, they can increase the size of the rewards to entice the testers deeper into the layers."


1  2  Next Page 

Sign up for CIO Asia eNewsletters.