Risk detection at scale is hard

How bug bounty programs can deliver return on investment

Chase Cortese

Chase Cortese

Associate Advisory, Cyber Security Services, KPMG US

+1 203-918-9411

Greg Mohler

Greg Mohler

Manager Advisory, Cyber Security Services, KPMG US

+1 610-937-9271

Caleb Queern

Caleb Queern

Director, Cyber Security, KPMG US

+1 571-228-8011

In today's world, there is an ever-evolving threat landscape that security teams must address to protect their software and IT infrastructure. Often businesses reactively address issues that have been found in their products and services only after an annual penetration test is performed, or worse, after a breach occurs. This slow pace of detection leaves security professionals one step behind attackers. There are many different approaches to reducing the likelihood or impact of a cyber security event in applications. However, detecting the important exploitable soft spots as a large organization can feel impossible due to reasons such as limited availability of internal cyber security resources and infrequent assessment schedules. One part of the equation to staying ahead is developing a bug bounty program.

Bug Bounty programs – also referred to as vulnerability disclosure programs – can reduce risk in a variety of ways. Primarily, they are a function to identify and remediate the vulnerabilities and associated risk within software and services. These programs enable security researchers to report findings directly to a company, sometimes in exchange for a reward or recognition. Bounty programs enable a company to effectively leverage more eyes on select devices, domains, and APIs, allowing a company to more frequently identify issues without needing to wait for their semi-regular testing. The vulnerabilities that are found can be especially valuable because bug bounty security researchers’ focus is to identify exploitable vulnerabilities that are not theoretical but those already in production. This allows the company to find and fix legitimate, external attack vectors.

How can you and your company get started?

For a Bug Bounty program to be successful, there are a few bug bounty program prerequisites you’ll want to work through before you ‘open the doors’ to security researchers:

  1. First, metrics to show the effectiveness of the Bug Bounty program. Consistent benchmarking with defined Key Performance Indicators (KPIs) allows your company to understand from a quantitative standpoint how the program has improved your overall security posture.
  2. Next, an internal communication channel with the engineering, architecture, operations, and security teams to help them understand why these vulnerabilities are being introduced. Conducting a root cause analysis can queue up conversations about design decisions and security concepts that didn’t previously have a seat at the table.
  3. Finally, successful programs rely on an individual or team responsible for initial triage of bug disclosures, clearly declaring program scope, communication with the submitter, and confirmation of earned bounties.

A right-sized bug bounty program can be a cost-effective, valuable tool in detecting and reducing vulnerabilities and should be considered by large organizations.