Did you know that companies, in order to test their security to see if it holds up in a real-life cyber criminal attack, can get help from external persons who have no connection to the company whatsoever? And that by getting hacked – or even letting themselves get hacked – contributes to strengthening their own security measures?
This is a great way to gain insights into how easy it is for cyber criminals with bad intentions to hack their way into the company. The experiment is easy: If an external person, a so-called security researcher or ethical hacker, can do it, then so can cyber criminals.
The idea is based on the principle of the saying “two heads are better than one”—the more great minds that gather to challenge a company’s security, the better. The only difference is that these hackers are the “good guys” of the hacking world, believing in joint efforts to make the internet a more secure place.
What is black hat hackers and white hat hackers?
When talking about hacking and cyber security, it’s important to keep in mind that there are different sorts of hackers. There are black hat hackers, who are cyber criminals. At the other end, there’s white hat hackers and hackers that operate in between, in a more grey area.
The white hat hackers, however, are so-called ethical hackers or security researchers who are using “their power to do good”. These people will often help companies with strengthening their security through vulnerability research, sometimes even free of charge seeing it as a responsibility to fight cyber crime and better the security on the internet in general.
And this is where bug bounty programs come into the picture, which is a way of inviting white hat hackers to help the company find security vulnerabilities.
What is a bug bounty program?
A bug bounty program is a program put in place by a company or organisation where skilled security researchers are invited to challenge chose parts of the company. These ethical hackers are then searching for, and identifying, weaknesses in the company’s software, website or IT infrastructure that can be exploited in order to penetrate them.
In other words, they try to hack their way in like real cyber criminals would do—challenging the company’s security. This way, they can discover and resolve bugs and vulnerabilities such as flaws in the systems, before the general public so that cyber criminals don’t get the opportunity to take advantage of these flaws.
In a bug bounty program, this process is happening within a legally controlled environment where the target and the rules of the testing are determined in advance.
How does bug bounty programs work?
It’s important that this scope set by the company is respected within the legal boundaries, meaning that there are certain rules or areas where the penetration can take place which is determined in advance. Penetration is an authorised, simulated cyber attack on a computer system, which is performed to evaluate the security of that system.
For example, if the scope is to penetrate a specific software or website, the security researcher is required to stick with this target and is not allowed to look for vulnerabilities elsewhere in the company’s IT assets.
The researcher should also provide the company with a report explaining the steps they took to exploit the vulnerability so that the company can mitigate it and learn from it.
The overall goal of this is to prevent incidents and to obtain the highest security possible. It presents a win-win situation for both parties: The company gets to measure their security and also experience how they’re holding up in a real-life cyber attack situation. The security researcher will receive recognition, often being featured on the company’s bug bounty hall of fame, as well as financial compensation.
Software or websites are usually complex structures with millions of lines of code and there will always be bugs and vulnerabilities that slips in, meaning flaws that can create a sort of unintended “back door” into the product. These are not always easy to find, especially as security becomes more complex, and outsiders’ expertise is therefore very valuable.
When a company puts a bug bounty program in place, they usually partner up with a third-party bug bounty platform, such as Intigriti, HackerOne, Bugcrowd, and OpenBugBounty.
What does the process of ethical hacking through a bug bounty program look like?
Their role is to coordinate and connect companies with security researchers. Companies usually pay a fee to be presented on the platform, whereas the researchers can access the platform for free, and easily get in touch with the companies.
When getting started, the companies will clarify what types of vulnerabilities they want to be notified of, what type of testing is allowed, and on what part of the company’s assets. They also determine how much a finding is worth and the platform will coordinate the payouts and help follow up the fixing of the issues.
The hackers, on the other hand, are financially compensated for their findings and gain scores, or so-called reputation points through the platform, which in turn gives them great visibility and recognition which can open doors for future projects and invitations to private programs.
When a bug bounty program is private, it requires a personal invitation which usually leads to a better quality of the reports, because the company can choose from the best ones within the field. When it is public, everyone on the platform can submit their findings, which creates more competition.
To become an ethical hacker or security researcher, you need advanced computer knowledge such as knowledge about networks, programming, operating systems, architecture and/or databases, and have problem-solving skills.
From there, you need to build up your reputation and standing in the security community, through public achievements of finding vulnerabilities and reporting them.
You might also be interested in reading: What is Data Protection Day?
What is responsible disclosure?
A company might also use responsible disclosure programs to strengthen their cyber security.
Responsible disclosure programs are when you give ethical hackers who stumble across a vulnerability or bug on your application, website, or program, the opportunity to alert the company directly and report their findings without getting in trouble.
According to the policy, the research will be considered authorised by the company and helpful to the overall security of the internet. This is not organised in the same way as a bug bounty program where there’s a legal scope. It’s rather an open channel with guidelines on how to report the issue to the company.
In other words, the company relies on people being honest and reporting their findings the ethical way without malicious intent according to the policy. By doing this, both parties then choose to respect the policy.
As part of the mutual agreement, this gives the company a specific timeframe to patch the issue before the security researcher is allowed to disclose his or her findings to the world. These responsible disclosure policies are usually found on a company’s website.
What are the goals and benefits of bug bounty programs and responsible disclosure policies?
One of the benefits of a bug bounty program is that it facilitates continuous testing instead of a more traditionally planned one-time penetration test from the company’s side. A bug bounty program and a responsible disclosure program will, therefore, strengthen the efforts made by the company, adding a continuous layer of security that can’t be provided by themselves.
Another important benefit is also the power of the crowd: More researchers will lead to more findings and thus better security. It also shows the world that a company takes security seriously and that they’re confident and transparent enough about their security measures to let ethical hackers take a turn.
This is also about creating a transparency culture where taking responsibility and playing with open cards is key. And, of course, cooperating with highly skilled and recognised security researchers to improve the overall security, creates a possibility to stay one step ahead of cyber criminals and to fix issues before they get to them.
Also read: What is an IT Security Policy?
How does Visma work with bug bounty and responsible disclosure?
We in Visma have both a bug bounty program and a responsible disclosure program in order to strengthen our security.
By both giving security researchers the opportunity to alert us on potential vulnerabilities and inviting them to try and penetrate specific areas or applications in the company, we continuously get valuable information on how our security is holding up.
With the responsible disclosure program, we show ethical hackers that we take security seriously, that we’re inviting them to share their findings with us, and that we value their contribution.
If it’s too complicated to report an issue, we can risk that they’re giving up and going about their day—not wasting too much time trying to reach the right persons. We also risk that they’re disclosing the vulnerability without us knowing.
A bug bounty program consisting of more than 150 security researchers
Our bug bounty program was started in January 2019 and we have a partnership with Intigriti, the largest and most well-known platform in Europe. As of today, we’ve had over 150 security researchers invited to the private program and thousands participating in the public program or in our responsible disclosure program.
The participants were either paid in the bug bounty program or listed in the Hall of Fame for Responsible Disclosure valid reports. The hall of fame is where we showcase their name, or screen name, and their achievements for the world to see.
“The program gives us the possibility to cooperate with extremely skilled security researchers from around the world and also learn from them through the vulnerabilities they might find.”
When vulnerabilities are found, we fix them as soon as possible. If nothing is found, we know that there’s a pretty good chance that there is nothing to be found. Both these initiatives come in addition to our own internal efforts to continuously strengthen our security.
We are constantly testing our systems with penetration tests performed by our own security teams and also with the help of external consultants, but adding another layer of security in the form of a bug bounty program and a responsible disclosure program is highly beneficial, and reduces the workload for our internal security teams.