At BSides and RSA, bug bounty experts Amit Elazari and Katie Moussouris say today’s programs lack adequate "safe harbor" hacker protections and vulnerability-patching requirements.
Using a bug bounty payment to conceal extortion or a breach, as Uber did, violated platform policies and Justice Department guidelines. Security experts explain how it also put consumers at risk.
Organizations don’t necessarily need to pay for zero-days, experts say. First, they need to set up vulnerability disclosure channels and establish reasonable response times.
At hacking contests like Pwn2Own, individual hackers can shine. Participating companies, meanwhile, can find and recruit badly needed talent, as they build hacker-friendly reputations.
Sans regulation or consistent guidelines, experts say it’s in the best interest of software vendors and security researchers to coordinate on disclosures and patch releases.
A Veracode-sponsored study of “the relationship between bug bounties and internal efforts to secure software” concludes that using bug bounties alone would be a highly expensive endeavor.
While its top prize of $200,000 is a far cry from what hackers can earn for unpatched bugs on the black market, the security community is largely applauding the tech titan’s move.
While companies set up programs for hackers to report vulnerabilities, independent marketplaces buy and sell hacks to popular software programs with no oversight or accountability.
Add the Pentagon to the growing list of nontech organizations looking to improve their tech security by paying independent security researchers to hack them.
