When is It Okay to Accept Risk?
Learn about the importance of accepting risk in vulnerability management.
Learn how bug bounty programs paired with pentesting can help make the most our of your security program.
TL;DR:
Bug bounty programs are a way to incentivize ethical hackers to find security vulnerabilities in applications. Companies offer financial rewards, known as bounties, for vulnerabilities found at different severity levels. Bug bounty programs are often used with penetration testing to enhance overall security resilience. These programs have an element of responsible disclosure, where hackers must notify the company of the vulnerability and give them time to patch it before going public. Bug bounty programs have pros and cons:
Pros:
Cons:
Penetration testing is a planned and comprehensive way to measure an application's resilience to attack. It involves ethical hackers attempting to find as many vulnerabilities as possible within a specified testing period. Penetration tests can be conducted in different types, including white-box, black-box, and grey-box testing.
Pros:
Cons:
In addition to bug bounty programs and penetration testing, there are other types of application security testing available:
The choice between bug bounty programs and penetration testing depends on specific needs and goals:
Responsible ethical disclosures are a crucial security requirement and best practice for organizations of all sizes. Startups and scaleups can implement such disclosures by adhering to a set of recommended steps. These guidelines ensure that security vulnerabilities are reported and addressed in a manner that protects both the organization and its stakeholders.
Responsible Ethical Disclosure policies drive Bug Bounty programs; allowing ethical security researchers to responsibly disclose vulnerabilities found within the company's application or environment, for a predetermined price per vulnerability. Compliance frameworks such as SOC 2 don’t require a company to have a Bug Bounty program, but any company under the framework does require a Responsible Ethical Disclosure policy. Companies without a Bug Bounty program, aligned with compliance frameworks like SOC 2 will still have a Responsible Ethical Disclosure Policy and a process that includes these steps:
A sample templated response if you do not have a Bug Bounty Program:
Hi (ethical security researcher’s name),
Thanks for this. (Company name) is committed to working with the broader community of security professionals to continue improving our security posture.
We conduct regular penetration testing on all applications and infrastructure in scope for our Responsible Ethical Disclosure Program with a trusted vendor.
At this time we do not run a Bug Bounty program and therefore are not in a position to provide financial compensation.
Thanks for your understanding.
(Name)
A sample templated response if you are building a Bug Bounty Program:
Hi (ethical security researcher’s name),
Thanks for this. (Company name) is committed to working with the broader community of security professionals to continue improving our security posture.
Given the severity of this vulnerability and the data we protect, we are able to provide a financial reward of x. I’ve cc’d our financial team to discuss the next steps for payment.
Thanks for your assistance.
(Name)
For example, if a company is in a highly regulated industry such as healthcare, security or financial services they can offer up to 100% more for a Bug Bounty than companies who do not; anywhere from $500 to $5,000 per vulnerability depending on the severity and impact level.
Companies that do not work with sensitive data, are less regulated and in an earlier stage of growth can pay anywhere from $250 to $2,500 depending on severity and impact level. This range can vary significantly, and it is best to consult a cybersecurity expert to confirm the standard payout per vulnerability for your organization.
Both bug bounty programs and penetration testing are essential tools for improving application security, each with its advantages and challenges. Bug bounty programs offer continuous, real-time testing by incentivizing ethical hackers to discover vulnerabilities, but they can also introduce risks such as unpredictable costs and potential malicious intent from unknown hackers. Penetration testing, on the other hand, provides a structured, comprehensive evaluation with trusted experts but is limited by its scope and time constraints. To optimize security, organizations can combine these methods or use alternative testing approaches, such as vulnerability scanners and secure code reviews. Implementing a responsible ethical disclosure policy is critical for ensuring vulnerabilities are addressed appropriately, regardless of whether a bug bounty program is in place. Ultimately, the choice of security testing strategy should align with an organization's specific needs, goals, and compliance requirements.
Security
Can be easily manipulated without detection if not properly secured.
Digitally signed and can be validated on the server. Manipulation can be detected.
Size
Limited to 4KB.
Can contain much more data, up to 8KB.
Dependency
Often used for session data on the server-side. The server needs to store the session map.
Contains all the necessary information in the token. Doesn’t need to store data on the server.
Storage Location
Browser cookie jar.
Local storage or client-side cookie.
The advantages and disadvantages of testing on staging compared to production. Which one provides more value.
Providing the quality of the biggest names in security without the price tag and complications.
Manual penetration testing
Full time Canadian hackers
Remediation support