What is bug bounty? From large enterprises to government agencies, Bug Bounty programs are used in addition to traditional, check-list based penetration tests for their access to a diverse skill set, pay-for-results model, and potential for ongoing testing. While traditional pen testing is often used to achieve compliance, these programs and bug bounty competitions pay cash rewards to ethical hackers, otherwise known as security researchers, for finding and reporting weak points and bugs in the software. Researchers provide security teams with reports on how attackers could penetrate through their security systems.
Is Bug Bounty the Same as Crowdsourcing?
In theory, the advantage of bug bounty security testing is that it creates attractive incentives for ethical hackers to find more vulns than the traditional pentest would. However, the Bug Bounty term can be confusing as it is often used broadly to indicate any researcher-based vuln discovery, some of which doesn’t even employ a true “crowd”. To further complicate things, many bug bounty-based companies are oriented more toward performing checklists for their broad customer base, and reserving the true crowdsourcing methodology for their large enterprise customers. A good buying decision requires discernment from the buyer. See below for more detail on the various flavors of Bug Bounty and their pros and cons:
Vulnerability Disclosure Programs (VDP, aka Responsible Disclosure Programs): Though not technically bug bounty (there is no actual bounty involved) this is a “see something, say something” policy in which an organization hosts, or enlists the help of, a vendor to manage a program through which anyone can report the discovery of a vulnerability.
Advantages: inexpensive, fairly simple to implement, positive public affairs opportunity.
Disadvantages: potential operational burden from high volumes of low-quality reports; lack of control since vulns can be submitted by anyone and some submitters will feel they are entitled to tell the public if you don’t respond within a certain period of time.
Bug Bounty Marketplace: a pot of money is put up for ethical hackers to try to hack corporate IT assets. This is similar to VDP except that there is compensation for vulnerability findings. In some cases, the bug bounty program is only available to a specific crowd of ethical hackers (aka security researchers).
Advantages: competitive nature brings out better performance; diversity of skills and experience brought to bear on testing.
Disadvantages: limited control and potential risk if the crowd is not vetted and managed; potential operational burden from high volumes of vulnerability reports of varying levels of quality.
Micro-Crowdsourcing: Some companies that use the crowdsourcing or bug bounty terms are actually bringing a finite number of (as few as 1-2) researchers who are often direct-salary rather than bounty-motivated and who typically follow checklists.
Advantages: cheap and relatively quick (though somewhat misleading).
Disadvantages: while this term gives the illusion of crowdsourcing, the small number of researchers and lack of competitive process render it less effective than true crowdsourcing. This really belongs in the category of “Traditional Penetration Testing”.
Why Bug Bounty Isn’t Enough
Before engaging with unvetted bug bounty hackers, organizations need to be well-informed of the benefits of a comprehensive crowdsourced platform and the potential risks of working with the wrong crowd.
Without proper crowd standards, quality assurance, or technical controls and management, hack bounty programs can introduce unwanted risk and operational burden into an organization. In a typical cyber security bug bounty program, there could be thousands of bug bounty hunters of varying expertise, generating noisy results of varying quality. As mentioned, one of the key benefits of bug bounty is the access to more researchers, and thus more vulnerabilities. However, organizations often fear an influx of vulnerabilities and lack of resources to appropriately manage and triage even the valid vulnerabilities. Behind every critical vuln, there are numerous false positives and low-quality vulnerabilities to sift through as well. Furthermore, it can be daunting managing communication with a crowd of hackers. Synack offers a high-level of control, quality, and insight that is not as accessible in traditional open bounty bug programs.
How Synack Goes Above and Beyond
Synack goes beyond bug bounty to address many of the challenges where bug bounty falls short—delivering >30% higher ROI compared to other crowdsourced solutions.
Bug bounty is a feature of what we do. However, Synack goes further by providing bounty-driven security testing with an elite crowd combined with our smart technology platform. This means you get the scale and rigor of bug bounty, with the control, efficiency and quality that’s unique to Synack. We’ve also built our own smart scanning engine, SmartScan, and methodology-driven workflows to give you the best of bug bounty, penetration testing, and vulnerability scanning, all in a single, integrated platform. SmartScan adds efficiency to the testing process by alerting researchers of potential vulnerabilities for verification, while allowing researchers to focus their time on finding complex, exploitable vulnerabilities that other solutions struggle to find. This integrated platform removes operational burden to give security teams the ability to focus on remediation.
Synack’s Crowdsourced Advantages:
A team of 1,200+ of the world’s most elite security researchers that are vetted through a 5-step process for both skill and trust
A realistic view of your attack surface from the world’s best, most trusted ethical hackers
An ability to rapidly deploy testing, intelligence, and operations
Real-time analytics on testing activity, coverage and benchmarking performance
Additional scale through a machine-learning enabled scanner, freeing researchers to focus more on creative tests
Access to actionable, audit-ready reports complete with a compliance checklist
How It Works
The Synack Portal enables security teams to manage security testing enterprise-wide, monitor security performance, prioritize assets for testing and share detailed findings with the team. Synack reviews all findings and triages them so that security teams are only given actionable, exploitable vulnerabilities without wasting time sifting through countless hacker submissions and false positives. Inside the portal, customers can access the main dashboard for a summary of findings reported in real time as they are discovered and triaged. From the main dashboard of key metrics, customers can double click any of the high-level metrics for details and view detailed vulnerability findings, manage active assessments, get analytics on security performance (Attacker Resistance Score™ rating), track outcomes of SRT security checks through Missions and read or download audit-ready reports, as needed.
So that reports can be tailored to the right audience, Synack’s platform goes beyond traditional reporting (often manual, point-in-time, and lacking in usable insights) to develop powerful, on-demand, customizable reports by presenting your testing data in a functional, easy to understand way. These reports help organizations make more informed security decisions. You can choose between human-written analysis, audit-quality reports for compliance mandates, custom report templates, high-level summaries with key metrics for leadership, or even actionable vuln data for development teams.