Western Union, a backbone of 19th century innovation with its successful hold on the telegraph industry, made a bold 21st century move this spring. It created a public vulnerability rewards program—more commonly known as a bug bounty program—to incentivize security researchers to report cybersecurity vulnerabilities directly to the company.
As a Fortune 500 financial company, Western Union had never discussed building a bug bounty program. But after a few instances where grey hat hackers attempted to report vulnerabilities to the company, spending weeks trying to reach the right person through e-mails, phone calls, and social media shout-outs, it knew it needed a change, says David Levin, director of information security at Western Union.
That change resulted in a private bug bounty program created at the end of 2013 with the help of Bugcrowd, a crowdsourced security testing company, to respond to bugs that were reported and to “be able to breathe,” Levin adds.
After a steady stream of bug reports poured in and Western Union completed its due diligence, it decided to make the program public this spring. Researchers can now register through Bugcrowd to report Western Union vulnerabilities they discover for rewards of $100 to $5,000.
By creating this program, Western Union’s internal teams have been freed up to focus on finding solutions to vulnerabilities, while leveraging Bugcrowd’s research community to report on them in the first place.
“It’s not like we ignored our security before…but we wanted to leverage another level of expertise,” Levin explains of its decision to create the program, which has seen a steady stream of submissions since going public.
Initially coming on the scene in the early 2000s, bug bounty programs have gained traction over the past several years as major tech companies—like Google and Facebook—implemented them.
Not all programs are the same, but generally each company outlines requirements for researchers who want to take part, and asks the global Internet community to hack into their system, document their process, and share it with the company for a reward—a bounty. Incentives range from free T-shirts to Hall of Fame listings to financial compensation.
Some companies that have the infrastructure to support the effort operate their bug bounty programs independently. Others, such as smaller firms or those not in the tech sector, can hire another company—like Bugcrowd or GitHub—to create and manage the bug bounty program for them, so internal staff can devote their time to fixing and patching vulnerabilities as opposed to finding them.
These programs can be private, so only vetted researchers are able to report bugs and know that bounties are available, or public, meaning the program is open to anyone and is not kept secret.
Regardless of whether the program is public or private, a key aspect for success is detailing the type of relationship a company expects to have with researchers when they report vulnerabilities through the program. This helps researchers understand the specific process companies want them to use to report vulnerabilities—such as submitting them through a web portal instead of posting about them on a social media page or contacting someone at the company directly—and what vulnerabilities companies are willing to provide incentives for—such as not rewarding researchers for bugs that have already been reported.
Program managers need to make sure that the company is “clear and communicating what your expectations are, and what you expect the relationship to look like,” says Casey Ellis, CEO and cofounder of Bugcrowd. “And then putting that out there so that before someone actually engages in this type of activity, they know what to expect and then it becomes a matter of making sure that you hit those expectations consistently.”
Managers also have to take into account that many researchers aren’t native English speakers. For instance, India contributed the largest number of valid bugs to Facebook’s bug bounty program in 2014 with 196, followed by Egypt with 81, and the United States with 61, according to Facebook’s annual bug bounty highlights.
This makes it increasingly important for companies to ensure that their bug bounty guidelines and researcher expectations are easily understandable for those who speak English as their second language. “What it comes down to is being aware that conflict exists and you have to navigate it; and as a result of it, making sure communication is as simple and clear as possible,” Ellis explains.
Google handles this by outlining its program requirements and expectations through its bug bounty website, including types of bugs and their likely price range if reported. It also includes examples of what it considers great bug reports and contact information for researchers who have questions.
“We believe that we should tell the researcher in as much detail as we can how much we’re likely to pay for each given bug,” explained Google Troublemaker Chris Evans in an RSA panel discussion in April. “We find the more detail you give researchers, the more persistent you are with what you provide, the happier your researchers are.”
And keeping researchers happy is crucial for bug bounty programs, as they work by incentivizing legitimate results, rather than paying people for their time, said Nate Jones, technical program manager at Facebook in the panel discussion with Evans.
“And that turns out to be very cost effective for us, especially with such a big program,” he explained. “It’s much less expensive—per vulnerability—paying by bounties than it is to pay a lot of the traditional sort of penetration testing companies.”
Evans agreed, explaining that “even if you have a really good, strong, internal security team, which many of us do…it’s hard for those dozens of internal researchers to compete with the potential pool of thousands of external researchers.”
And research backs their stance. According to An Empirical Study of Vulnerability Rewards Programs, a report published by three Berkeley researchers in 2013, a bug bounty program can be a cost-effective mechanism for finding security vulnerabilities.
The report studied the bug bounty programs offered by Google Chrome and Mozilla Firefox. It found the cost of both of their programs comparable to the cost of employing just one member of the browser security team (assuming a $100,000 salary with a 50 percent overhead).
“The benefit of a [bug bounty program] far outweighs that of a single security researcher because each of these programs finds many more vulnerabilities than any one researcher is likely to be able to find,” the report said. Additionally, the report found that increasing the number of researchers looking for vulnerabilities also increases the diversity of bugs that are discovered.
Furthermore, rewarding researchers for reporting vulnerabilities helps encourage participation. “This makes sense with an understanding of incentives in lotteries: the larger the potential prize amount, the more willing participants are to accept a lower expected return, which for vulnerability rewards programs, means the program can expect more participants,” according to the report.
Some companies give away swag or points for bounties, but Levin says he thinks “it’s ridiculous to offer anything other than a monetary option” for rewards. “It’s like a free car versus a free doughnut; what’s going to entice you more?” Additionally, large monetary rewards encourage researchers to report bugs to the company directly, as opposed to exploiting them or attempting to sell them on the Dark Web.
Rewards can also serve as a control on how many bugs are being reported at any given time to allow companies to develop a cadence to respond to them, Evans said. “You can start with a lower price, and some good bugs will probably come in, and once that tapers off and you think that’s under control, you then just dial it up—turn the knob—and more will come in,” he explained. “We’ve done that quite successfully at Google.”
However, monetary rewards aren’t the only reason researchers participate in bug bounty programs. One of the other major motivators is an academic driver of wanting to understand how something works, Ellis says.
“I just like understanding how things work and creating challenges for myself to understand how something works to the point that I can get it to do something that it maybe shouldn’t—creatively overcoming a limitation,” Ellis says, adding that this is a common driver for many researchers.
Additionally, researchers are also motivated to participate in bug bounty programs to build up their personal brand and receive recognition from a third party that attests to their skill level. Not only is this a “feel good” that reinforces participation, but it can also help lead to jobs for researchers and help companies identify talent.
Bugcrowd has seen a number of researchers receive job offers at companies based partly on their participation in these programs, including its former top researcher who was hired by Tesla, Ellis says.
Ultimately, bug bounty programs are beneficial both for researchers and the companies that operate them because they level the playing field in cyberspace.
“If you’re on the Internet, anyone’s got the ability to hack you,” Ellis says. “So why would you limit the kind of people that might be putting their hand up to try to help?”