Why you need a bug bounty program

If you’re ready to deal with the volume of reports, a bug bounty program can help you can find the holes in your system — before attackers do.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

Every business needs to have a process in place for handling security vulnerability reports, but some organizations take a much more proactive approach to dealing with security researchers.

An increasing number of hardware and software vendors have formal bug bounty programs. Google, for example, runs its own vulnerability rewards program, and Microsoft has multiple bug bounties covering Office 365, Azure, .NET and Edge as general programs covering exploits and defenses.

And the U.S. Department of Defense (DoD) set up its first bug bounty after several years of watching the software industry, says Katie Moussouris, now CEO of Luta Security. She previously created similar programs for Microsoft and Symantec, worked with the FDA to create market guidance around vulnerability disclosure for medical devices and helped the DoD prepare for their bug bounty while working at HackerOne. “The DoD was curious about those programs were effective, whether the folks participating in it were acting in good faith,” she tells CIO. “They wanted to take what was working in the private sector and fast track that into the DoD.”

“Bug bounties are really just a subset of vulnerability disclosure with a particular incentive. They can be a useful tool. Just like any other incentive program, you're trying to incent certain types of behavior, certain types of bugs,” Moussouris says.

To continue reading this article register now