It used to be that when security researchers found a software bug, they would bring it to a company’s attention and hope for a small sum of money in return. Some firms paid out and many did not.

But in the last several years, companies large and small have created formal bug bounty programs as they’ve realized that motivating the research community to find previously missed vulnerabilities is simply good business.

“The whole industry in bug bounty programs is maturing,” said Charles Valentine, vice president of technology services for job search site Indeed Inc. “We still see very high value in our program.”

Valentine spoke about Indeed’s bounty program on Thursday during a briefing at the Black Hat USA 2017 cybersecurity conference in Las Vegas. He was joined by Angelo Prado, director of product security for Salesforce.com Inc., and Lori Rangel, director of product management at encrypted-communications firm Silent Circle LLC.

Underscoring the coming-of-age for bug bounty programs, Microsoft Corp. announced on Wednesday that anyone who discovered a security flaw in Windows would be eligible for payment between $500 and $250,000. The announcement expanded Microsoft’s previous bounty program, which offered rewards for specific areas such as the Hyper-V hypervisor, exploit mitigation systems known as ASLR and DEP, and its Edge browser.

Augmented security

Microsoft’s new bounty program highlights a trend towards bigger payouts for major vulnerabilities. Salesforce disclosed during the Black Hat briefing that it had paid over $2 million in bounties to security researchers since its program was started in 2015, with the largest single award at $13,000.

“It’s very valuable to build a relationship on threat intelligence with the security community,” said Salesforce’s Prado.

While the company executives were reluctant to disclose details about the kind of flaws that have been found and rewarded, Valentine did say that Indeed had paid bounties for the discovery of domain takeovers and one particularly nasty XXE, or external entity, exploit.

According to Silent Circle’s Rangel, her company had rewarded verified code exploits and web application bugs. “We value our bounty program as sort of an augmented security team,” said Rangel.

Despite the value that companies gained from paying bug bounties, the program’s startup process was not easy, even for a company the size of Salesforce. Prado said his company failed to understand early on how to forecast resources and allocate proper budget to handle the flaws when they began to flow in. “You don’t know how many vulnerabilities you are going to receive,” said Prado.

Both Salesforce and Indeed employ dedicated staff to “triage” bug submissions. Prado pointed out that the skill set required to evaluate bugs properly can be different from that of other engineers, requiring a mix of incident response, customer support and security expertise.

Competing for talent

The decision on when a company will pay for a security flaw can vary. Silent Circle will pay after discussing the value of the vulnerability. Indeed and Salesforce issue payment after confirming that a particular flaw is correctable and actual code is rewritten. “If we make a change, we pay,” said Valentine.

Salesforce has found benefit in creating a private subgroup of between 10 and 20 previous bounty participants, high-value security researchers who can identify bugs when it acquired a new business or launched a major product. “That has been extremely successful for us,” said Prado. “You are competing for the best talent out there.”

Bug bounty programs can also drive corporate recruiting. Prado said that one of the strongest participants in the Salesforce bounty program was a 16-year-old student from Argentina. The company flew the young researcher and members of his family to San Francisco, mindful that his level of expertise could make him a valuable hire down the line.

It’s clear that bug bounty programs have reached a point where they have become an important part of the enterprise, another source of key information to be evaluated in the context of the business. “Just because something comes through the bug bounty program doesn’t make it more important,” said Prado. “It’s still about making the right call for our customers and the company.”

Image: testbytes/Pixabay