No matter whether you hold a web-service, website or application, you are going to deal with cyber security issues. Both hacking and error threats are in place if your service has a vulnerability you haven’t fixed.
Vulnerabilities are usually detected during the testing stage. However, there is always a possibility that testers won’t find all bugs. This is a standard for the most complicated services. Even the leading companies as Oracle, Badoo, Microsoft, Zendesk and others are facing to this problem.
While you are looking for vulnerabilities, you have to check all the options user has during a program usage and all the ways for the hacker to break in. You can surely use the bug tracking software, but it shows a rather low efficiency talking about complicated services.
Just consider that Sony’s servers were hacked several times and personal data of millions of users was disclosed. If you are running any financial service or any other service demanding from user to share his personal information, this is what you have to evade from.
Nowadays, there is a cost-effective solution for vulnerabilities issue: Bug Bounty is about delegating the task to search for vulnerabilities and exploits to a crowd. You just have to specify the bug bounty program’s target and set up the rewards. That means that you do not have to waste your team’s resources on finding vulnerabilities – you only have to process bug reports.
Just consider the hourly pay-rate of a single tester. You should pay at least $7/per hour, no less (and usually you pay more). Also, to provide an effective testing you surely need more than one qualified tester.
Finding bugs and exploits was always about manhours. And once you released a product you may not even know whether there are still vulnerabilities in place and to ensure you will find most of them (not even all of them) you should keep a team of testers, which will cost you a fortune.
Now compare it to a bug bounty program. You only pay for the result, not an effort. No matter how many hours were spent by the bug reporter – you pay the specified amount of money. There is one more issue about bug bounty – you have to specify exploits and vulnerabilities by rank. The more dangerous vulnerability is, the larger the reward is. For example, the simplest URL vulnerability can be compensated by $100, but the critical vulnerability should be paid by no less than $1000 (just an example).
So let’s compare a running bug bounty program with providing testing on your own.
The first argument against Bug Bounty is the fact you have no control on finding process. After (and if) people are engaged in the bounty process you can’t make them cooperated and divide to directions. They decide on their own what kind of vulnerabilities to search for (in a scope of your bounty brief) and many work hours are wasted for nothing. However, that is a problem of bug hunters, and that is the risk they take.
You also may deal with unqualified bug hunters sending bug reports on imaginary vulnerabilities. To evade that you just have to specify the reporting standards, ignore useless reports.
You should know that you only pay once for each vulnerability found to the first bug hunter that reported about it.
One more problem of bug bounty programs is about engaging the crowd. The target audience of such a program are testers and other IT-connected specialists. And it may be hard for you to reach these people with the bug bounty program page on your website. So it may be better to use services which are designed to engage bug hunters all over the world.
If you still think ‘Bug Bounty’ is not a solution, note that companies like Microsoft, ZenDesk, Pinterest, Facebook and many other top entities have already launched bug bounty programs. Google has even run a VRP (Vulnerability Reward Program) to ensure that crowd would test company’s applications. Since the launch date in 2010, Google has already paid more than $6 million.