Companies such as Intel and Google are leaders in the space, setting standards and payouts well beyond most other businesses.
Some key organizations are helping to chart a path forward. As these incidents happen-and happen more often-the market will naturally respond. Similarly, cyber-catalysts like the Equifax breach will drive industry change today. The insurance industry has always been the go-to place for risk transfer, and the market naturally developed new coverages as the need arose.Ĭonsider, for example, the standards that were developed in the 1800s by HSB during the industrial revolution to create an insurance market for steam boiler malfunctioning and transform industry thinking to put safety first. These two views need to be kept in mind throughout the process.Įach company has its own set of IT standards, practices, and implementations, but as the market matures and bug bounty programs are more widely adopted, technology companies will inevitably shift to a more commonly defined approach. The first is that systems are tested from many angles using the techniques that nefarious attackers also use the second is that the reward is balanced with efforts. Notice that I mention two important arguments here. What’s the point of a bounty program? For most companies, it’s to receive continuous testing of exposed systems from many angles at once, while providing a reasonable channel to reward people for their efforts. I support the growth of these programs, but I want to explain in detail why there’s still a long way to go. Even on hosted platforms such as Hackerone or Bugcrowd, the severe lack of standardization is limiting these programs’ effectiveness for everyone. While some published standards define receiving and disclosing information related to vulnerabilities, and additional standards define the process from intake to remediation, there are no defined ways to adopt a program, rules, or rewards-making every program different. Companies that have implemented programs are seeing results, with 80% of reports deemed valid.ĭespite all this growth, some programs have been frustrating to work with and not all programs are the same. Now there are roughly thousands of bug bounty programs, both private and public. This is a positive sign for the future of the disclosure industry, in contrast to a troubled beginning when companies and governments pursued legal action against those who reported vulnerabilities (such actions, however, are still happening). According to the 2018 Hacker Power Security Report, almost every statistic about bug bounties has increased: from a 54% increase in new programs launched to a 49% increase in the number of reports submitted and vulnerabilities disclosed publicly. Bug bounty programs are growing at an incredible rate.
0 kommentar(er)
