Bug bounties are big business. The most accomplished hackers can now make a good living hunting down and disclosing security flaws. Some of the largest programmes now offer bounties of $1m or more.
A growing number of organisations now either offer their own bug bounties, or join up with a bug bounty programme.
But how do these programmes operate, and how do CISOs ensure that they are run ethically?
What are the risks of inviting researchers to hack your organisation? How do bug bounties stack up against other methods of security testing?
And what are the benefits to security researchers themselves, as the programmes cannot work without hackers? Bug bounty programmes are run as communities, with scores, leaderboards and events to encourage security testers to take part.
But programmes also offer features, such as identity checks for participants, and triaging of reported vulnerabilities, reducing the workload on security teams.
For this episode, we invited Ottilia Westerlund, hacker engagement manager at bug bounty platform Intigriti, to talk about the pros and cons of bug bounties. Ottilia is herself a former software engineer and published security researcher. She discusses what makes a programme work, the ethics and rules of engagement, and the importance of acting on researchers’ findings with editor, Stephen Pritchard.
Featured image: Dmitry Steshenko from Pixabay
Be the first to comment