Vetting researchers builds trust in bounty programs

Though companies like Google and Facebook have used bounty reward programs for a while, organizations outside of the technology industry can also benefit from participating in bounty programs.

reward sign
Quinn Dombrowski (Creative Commons BY or BY-SA)

Conservative enterprises have been tentative about joining forces with hackers, but third-party bug bounty platforms have proven that their vetting process ensures a highly qualified and trustworthy talent pool. Because security researchers are able to discover vulnerabilities and alert enterprises to flaws in applications before a breach, there is value in trusting ethical hackers.

Bugcrowd’s recent State of Bug Bounty report noted that many bug bounty programs are commonly run on third-party platforms that, “manage the operational end of the programs, bringing the research community together and handling the payment process, opening up the opportunity for more companies to successfully run bug bounty programs.”

While companies from Facebook and Google to Tesla and United Airlines have popularized bounty reward programs, more conservative enterprises outside of the technology industry, such as larger financial services and healthcare organizations, have not been as comfortable taking the leap of faith that the benefits of bounty programs outweigh the risks. This tentative response across industries outside of tech has led to the rise of private or invitation-only programs.

[ ALSO ON CSO:  How (and why) to start a bug bounty program ]

Jay Kaplan, CEO of Synack, said that for these more conservative enterprises, it is, “really important to have contractual obligations.” Companies want to know who they are dealing with, and a vetting process that includes background checks and behavioral interviews can winnow down the candidate pool to the most trustworthy prospects.

“Candidates need to be well versed in techniques, but a vetting process has to be about both skills and trust,” Kaplan said. The vast majority of enterprises want to know that the people they are dealing with can be trusted.

To continue reading this article register now

Discover what your peers are reading. Sign up for our FREE email newsletters today!