In response to the news that a 19-year-old is facing a criminal charge for downloading files from Nova Scotia’s freedom-of-information portal, Aaron Zander, IT Engineer at HackerOne commented below.
Aaron Zander, IT Engineer at HackerOne:
When does/doesn’t a bug bounty make sense for a company?
“Organizations should at the very least implement a channel for responsible disclosure so that should a vulnerability like this exist, it’s reported to the people that can fix it and resolved before being exploited by a criminal. It doesn’t make sense for a company to always offer monetary incentives or bounties from the start. The key to successful vulnerability disclosure and bug bounty programs is being able to manage the volume of reports that come with them. Internal security teams must have a clear and proven process for validating and resolving vulnerabilities efficiently before they allow contributions from outside their organization.”
Are they fairly common now? Are you aware of any governments that use them?
“HackerOne has over 1,000 customer programs currently who have paid out over $27 million to hackers for helping resolve more than 65,000 vulnerabilities to-date. More and more companies are adopting vulnerability disclosure and bug bounty programs, especially following the launch of Hack the Pentagon in 2016. The U.S. Department of Defense, Singapore Ministry of Defense and European Commission all have programs on HackerOne.”
Does it make sense for a government to use this technique?
“Because government agencies are so targeted and house so much sensitive information, it’s absolutely important for them to at least have a channel for hackers to disclose vulnerabilities whether they reward bounties or not. The U.S. Department of Defense has run several time-bound bug bounty programs like Hack the Pentagon, Hack the Air Force and Hack the Army, while also maintaining a vulnerability disclosure program in the background, which welcomes submissions for anyone all over the world and does not offer monetary incentives. In the first year, the U.S. Department of Defense resolved nearly 3,000 vulnerabilities.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.