Bug bounty programs are great, but not enough – here’s why

The past years were a record for million-dollar bug bounty rewards. HackerOne’s 2022 report reveals the number of bug bounty programs increased by 45% compared to 2021. However, companies should not treat bug bounty programs (BPPs) as an absolute solution but rather as a part of the security strategy. To ensure continuous discovery and wider coverage of vulnerabilities, organizations should consider adding Attack Surface Management (ASM) tools to their existing BBPs.

Bug bounties are not a silver bullet

What are bug bounty programs?

BBPs allow organizations to reward external security researchers for finding security vulnerabilities with monetary rewards. Vulnerabilities can be reported through a standardized channel, where they’re triaged, validated, and routed to the appropriate team for remediation before threat actors can exploit them. The prizes (bounties) vary depending on the severity of the bug.

What benefits do bug bounty programs offer?

• More frequent testing: BBPs allow organizations to perform more frequent testing of the external attack surface; they don’t have to wait for the next security audit.

• Flexible pricing: The cost of frequent testing is relatively low once a BBP is established. Bug hunters are paid only upon successful vulnerability disclosure, with each payment reflecting the bug’s severity.

• A temporary solution to the worker shortage: While the worker shortage is an ongoing battle, BBPs offer an alternative to traditional hiring by leveraging external bug hunters in the community.

• Raise security awareness: Implementing BBPs with competitive pay shows that the company has an aware approach to cyber security.

Threat actors are adding competition

BBPs so far have been a great tool for companies to leverage the hacker and researcher community to secure their infrastructure. However, threat actors have also stepped up their game in this race – Lockbit 3.0, a ransomware gang, has a BBP offering up to 1 million dollars to help enhance their ransomware, a higher amount than many legitimate organizations have ever awarded.

The same HackOne’s 2022 study reveals that nearly 50% of bug bounty hunters reported not disclosing a vulnerability, mostly because organizations do not have a vulnerability disclosure program. To beat threat actors at their own game, bug bounties should be one part of the bigger picture.

Another layer of security with attack surface management

What is attack surface management?

ASM is a process that enables organizations to get comprehensive visibility automatically and continuously into assets that make up the attack surface. A modern ASM solution includes 5 processes: discover assets, classify assets, identify vulnerabilities, prioritize risks, and remediate risks. ASM solutions are valuable in reducing the costs associated with cyberattacks by helping discover exposures, prioritize risk management, and ensure risks are remediated before threat actors can exploit them.

How can ASM and bug bounty programs complement each other?

Knowing thy assets

68% of organizations have experienced an attack originating from an unknown, unmanaged, or poorly managed company asset.

ASM solutions scan all internet-facing assets, providing security teams with a holistic overview of the attack surface, including previously unknown, forgotten, or looked-over assets, as well as how they are connected. Such an overview gives insight into which vulnerabilities are most likely to be exploited by threat actors, setting out a better scope and context for bug hunters.

More automation

Security teams are often overwhelmed by too many repetitive, manual tasks despite limited time and resources. While internal security teams often have to validate bug hunter discoveries, taking up a portion of their limited time, modern ASM solutions can be integrated into the security team’s tools to automate portions of workflows providing increased efficiency.

Cost-effectiveness

More solutions usually equal more costs. However, adding ASM to your portfolio means that the volume of BBP payouts provided by your organization should decrease.

A study reveals that external bug hunters report different types of vulnerabilities compared to internal staff and tools, implying the two solutions can cover each other’s gaps. While ASM solutions are good at detecting common threats and misconfigurations, external bug hunters can cover areas where automated solutions might struggle to identify a threat.

Recommendations

Hadrian recommends your organization build a layered approach to cybersecurity in which multiple tools to protect systems from vulnerabilities are utilized. Automated solutions for continuous testing such as ASM should be used to map your entire external attack surface, knowing which vulnerabilities pose the greatest risk, and which need to be prioritized for remediation in order to decrease the likelihood of a breach. To learn more about ASM and how Hadrian automates the entire exposure management lifecycle, get in touch with our security experts.