Bug bounty programs are nothing new. Companies from Google to Microsoft to Mozilla offer up cash and other rewards for so-called "white hat" hackers willing to find and report critical problems in network infrastructure.
Now, United Airlines (UA) is also opting in, offering up to one million air miles to bounty hunters who find "remote execution codes" and turn over their data to UA. Of course, the proliferation of both bounty programs and network attacks raises a question: Are these hit lists really working, or is this just busywork designed to keep consumers happy and give C-suite executives a false sense of security?
So, why opt for a bug bounty program? According to Jason Steer of security firm FireEye, companies such as United Airlines can reap big benefits since "crowdsource testing for security weaknesses can be hugely valuable to organizations." In effect, businesses get the benefit of professional knowledge and expertise without having to pay full-time salaries or benefits. So long as the bounties offered are worth the time of white-hat hackers, they can tap a vast pool of talent in a very short time period.
For UA, this means offering air miles in exchange for new bugs — one million for critical flaws that can be executed from a remote location, 250,000 for medium-severity issues and 50,000 for low-level bugs. There is a restriction, however: Hackers are not allowed to submit bugs related to any on-board Wi-Fi, entertainment systems or avionics, presumably in an effort to keep even the "good guys" away from what keeps UA's planes in the sky.
Other companies are also ramping up their bug-finding efforts. According to VentureBeat, Microsoft has now added Azure, Office Sway and Project Spartan to its list of bounty-eligible code, while its Online Services Bug Bounty Program now pays out a maximum of $15,000 for critical flaws. Forbes, meanwhile, reports sites such as Pinterest — which offers up to $200 for bugs — is now leveraging the cloud as a way to outsource vulnerability detection while still keeping essential services secure. Bottom line? Crowdsourcing security vulnerabilities is now par for the course, and the practice appears to be paying dividends.
But here's the thing: Crowdsourcing isn't enough on its own. If it were, companies such as Microsoft and Google would be virtually free of bugs, and no news-making vulnerabilities would ever emerge.
In some cases, however, incentives aren't enough or bug bounty processes are too rigorous for the average white hat to file a report. Other times, companies don't act quickly enough to remediate bugs, leading ethical hackers to either take their information public or avoid making future reports. And while bounty programs try to tap the key threat posed by malicious actors — proactive threat evolution — even crowds can't uncover every possible way through the perimeter.
As a result, it's critical for companies using bug programs to focus their IT security attention elsewhere. Think of it like this: Crowdsourcing takes care of the big stuff, especially with the right compensation, since hackers are driven both by the desire to claim big rewards and the desire to be the first to find a new type of vulnerability. This lets in-house IT focus on more thorough security testing of applications and systems, which requires both a rigorous and programmatic approach.
By leveraging cloud-based application security services and pairing them with internal expertise, it's possible to develop a robust defense architecture that catches the vast majority of bugs before they leave testing environments and become real-life problems; any that slip through the cracks are the domain of crowdsourced white-hat hackers.
Crowdsourcing bug bounty programs remains a critical part of any security environment, but it isn't a catch-all solution. A truly defensive posture starts with testing, continues through deployment and evolves in the field.
Ready for better frontline security? Start here to learn more on securing your web perimeter.
Photo Source: Flickr