31 May 2022: The South Australian (SA) government is launching a bug bounty program through the Department of Premier and Cabinet (DPC) to drive cyber security researchers in the discovery of weaknesses in the organisation’s technology. The DPC revealed that 234 of the SA government’s environments have not undergone pentesting in the past three years. The SA government allotted a AU$20 million budget for its cyber defence program in 2021 to establish cyber security operations centres (CSOC). No exact amount was mentioned for the financial compensation for researchers who can successfully discover vulnerabilities.
In 2019, New South Wales created the state’s first bug bounty program through the Service NSW digital driver’s licence. The U.S. Department of Homeland Security (DHS), on the other hand, launched a similar program last year, which rewards participants with the highest bounties based on the severity of the bugs.
Why it’s Important
Crowdsourcing ethical hackers to discover cyber vulnerabilities that organisations should be aware of is necessary to validate the existence of weaknesses within their applications. For both public and private organisations, they benefit from improved remediation time as a result of increased detection of vulnerabilities to better prevent data breaches. In addition, with such a program, access to top talent is more cost-effective than maintaining an in-house team who are under contract whether they find any issues or not.
While websites often undergo vulnerability testing for maintenance and security practices, putting out a bug bounty program weeds out amateur hackers who leverage websites that offer free tools to identify security flaws or misconfigurations. Some of these include SSL Labs by Qualys, Security Headers by Probely, and CookieServe by CookieYes. The reports from these tools produce little to no value, which only adds to the workload of the organisations that have to review and verify the findings.
A well-managed bug bounty program, on the other hand, can provide excellent feedback on the security of a site. It harnesses the expertise of many researchers and encourages responsible disclosure. For example, a bug bounty vendor, BugCrowd, is now offering a posse of testers as an option for pentesting a website.
In addition, with a bug bounty program set in place, it can also be used to test the ability of an in-house security team and existing tools being used to detect flaws on websites.
However, IBRS also underscores the limitations of such a program. For instance, when an organisation doesn’t have a transparent and clear scope for testing, participants may go beyond ethical frameworks, or breach regulatory compliance standards.
In addition, when too many vulnerabilities are discovered, it can drive up the cost of financial incentives. This can include security issues that were not immediately remediated.
Finally, not even a bug bounty program will stop malicious hackers from researching, testing and taking advantage of flaws to attack a site. However, encouraging ethical hackers to discover vulnerabilities first is more than necessary, so organisations can get ahead of outsiders who can exploit such weaknesses.
- Cyber security teams
- Ensure that the website is hosting a security.txt file. This provides information on who to contact for security issues, links to any vulnerability disclosure programs, or bug bounty programs in place. It is now an official RFC 9116 issued by the Internet Engineering Task Force (IETF) to guide vulnerability disclosures.
- Establish a closed bug bounty that is only open to named researchers. This puts a cap on the financial incentives that will be given out for successful discoveries. Then the organisation can eventually open to a wider audience for participation. Simultaneously, the organisation should tightly define what’s in and out of scope. This should be managed progressively since researchers can quickly get frustrated if the coverage of the program is less transparent.
- Do not fully depend on bug bounty programs that detect single vulnerabilities as a long-term security strategy. Instead, examining the attack surface must cover the full spectrum to avoid relying only on incremental improvements.
Related IBRS Advisory
- Advancing cyber security capabilities requires continual maturation
- The difference between fraud and cybercrime