Why you need a bug bounty program
Credit to Author: Mary Branscombe| Date: Tue, 21 Feb 2017 12:50:00 -0800
Every business needs to have a process in place for handling security vulnerability reports, but some organizations take a much more proactive approach to dealing with security researchers.
An increasing number of hardware and software vendors have formal bug bounty programs. Google, for example, runs its own vulnerability rewards program, and Microsoft has multiple bug bounties covering Office 365, Azure, .NET and Edge as general programs covering exploits and defenses.
[ Extortion or fair trade? The value of bug bounties ]
And the U.S. Department of Defense (DoD) set up its first bug bounty after several years of watching the software industry, says Katie Moussouris, now CEO of Luta Security. She previously created similar programs for Microsoft and Symantec, worked with the FDA to create market guidance around vulnerability disclosure for medical devices and helped the DoD prepare for their bug bounty while working at HackerOne. “The DoD was curious about those programs were effective, whether the folks participating in it were acting in good faith,” she tells CIO. “They wanted to take what was working in the private sector and fast track that into the DoD.”
“Bug bounties are really just a subset of vulnerability disclosure with a particular incentive. They can be a useful tool. Just like any other incentive program, you’re trying to incent certain types of behavior, certain types of bugs,” Moussouris says.