How Bug Bounty Programs Deliver Savings and Security
But in a new twist, one of the latest initiatives is a collective program announced by Microsoft, Facebook, and Google this month. In most cases bounties are offered by a single company to benefit its own product, so it is heartening to see the collective responsibility these technology giants have taken to make the Internet a more secure place within which to operate.
Looking at these bug bounty programs more closely, there are several questions that emerge in helping shape an organization’s quality assurance strategy.
1. How expensive are bug bounty programs? The bounties themselves can be quite large, and one well-known hacker has made more than one hundred fifty thousand dollars so far from finding bugs in Google’s Chrome browser alone.However, a study talks about how these programs are still cheaper than hiring full-time security experts at an organization.
The management effort in a bug bounty program can be intensive because those in charge need to motivate people to participate with past bug bounty results, clearly define the policies, monitor the program over its duration, determine the bounty winners, and settle any legal disputes.
2. Can there be standalone programs in a quality assurance effort? Facebook is reported to not have a formal quality assurance effort. Whether this is the right approach is out of scope for discussion in this post. However, even Facebook does not use bug bounties as the only form of testing. It supplements its reward program with other internal efforts, such as employee testing, vendor testing, and ex-employee special channels to report bugs.
3. Is this a form of crowdsourced testing? This is indeed a form of crowdsourced testing, but it falls under a very niche category where organizations are looking for specific expertise in an area such as security. Finding security vulnerabilities is by far the major focus of most bug bounty programs.
4. What other benefits emerge from these programs? In addition to the core focus of finding issues in a product, bug bounty programs provide opportunities for young hackers to sharpen their skills and help organizations find good employees. On its security team Facebook has two full-time employees who were found through its bug bounty program. Although this is not the main intent, it is a nice bonus when it happens.
With effective planning, implementation, and an understanding that these programs are a good supplement to the core testing practices, bug bounties can greatly benefit multiple entities. It will be exciting to watch the results of the collective bug bounty with Microsoft, Facebook, and Google, which will hopefully set the stage for future collaborative programs.