Casey Ellis, Bugcrowd Shares Why Bug Bounties Are Critical to Cybersecurity

Once company-wide work from home mandates begin to lift post-COVID, organizations will need to figure out a way to secure a network that has been physically undefended for over a year. This raises significant security concerns as 47% of individuals fall for phishing scams while working from home, and hundreds of employee devices that have been on home networks for the past year will suddenly be plugged into a corporate network -- creating the perfect watering hole for adversaries.

In order to prevent handing adversaries a prime opportunity to target corporate networks, organizations must capitalize on the chance to get ahead of adversaries with help of security researchers. By leveraging external security researchers, organizations can proactively identify vulnerabilities within their network prior to being exploited -- as opposed to the traditional approach of addressing vulnerabilities once a cyberattack has occurred.

We spoke with Casey Ellis, Bugcrowd co-founder, chairman & CTO to get his insights on how organizations can leverage security researchers via bug bounty or vulnerability disclosure programs (VDPs) to harden corporate network security and the importance of having a bug bounty program.

There seems to be a lot more vulnerabilities in software in recent years. What can you attribute this to?


Cybercrime has only recently become a major concern for organizations in the last five to six years, and recently become an executive concern in the past year, due to the wealth of digital innovation that has taken place during these times. Despite this increase in concern, current security solutions fall short of what is needed as companies continue to transform. As organizations are continuously looking to enhance current processes, increase efficiencies and scale both nationally and internationally, the adoption of digital technology and assets has increased the size of companies' attack surfaces — ultimately creating more vulnerabilities for malicious adversaries to exploit.


The increased digitization over the past few years has also resulted in a significant rise in state-sponsored cyberattacks on both government agencies and the private and public sectors. These incidents have highlighted that every organization, regardless of its size and popularity, is prone to cyberattacks. As a result, organizations have realized that the impact of a cyberattack can go well beyond the targeted organization, as seen recently with the Ukrainian government’s Ukrainian System of Electronic Interaction of Executive Bodies (SEI EB) acting as an all-access pass to other Ukrainian government agencies.


It would be remiss to not attribute the most recent rise in cyber attacks to the COVID-19 pandemic, as many organizations have rapidly shifted to digital and remote operations, thereby expanding their attack surfaces. Similar to the gradual digital transformations in recent years, the pandemic forced many organizations to adopt new technology but at unprecedented paces. In many of these cases, cybersecurity did not remain top of mind during these breakneck speed digital transformations, and towards the back of 2020 and into 2021 the increasing velocity of major breaches has given weight to this trend. What is the importance of having a bug bounty program?

In order to prevent handing adversaries a prime opportunity to target corporate networks, organizations must enhance their security strategies and augment their internal resources with the help of external security researchers. Bug bounty programs can serve as a security force multiplier within an organization’s security strategy, allowing organizations to proactively engage the on-demand talents and expertise of highly skilled, global security researchers—know to us collectively as "the crowd" and sometimes called ethical hackers—to proactively identify vulnerabilities within their network before they can be exploited. This approach allows organizations better balance the economics and resourcing available to the swarm of potential malicious adversaries, as opposed to the traditional approach of addressing vulnerabilities once a cyberattack has occurred.


Bug bounty programs are ultimately a subset of a universally critical concept, vulnerability disclosure programs (VDP), which provide a secure channel and clear terms for security researchers to safely disclose vulnerabilities to a company and receive monetary rewards for their findings. In turn, organizations can address or patch vulnerabilities without the time constraints of fixing a vulnerability once an attack has taken place. This additional time to address vulnerabilities can make or break an organization’s business, as most enterprise leaders are not aware of what a cyber-attack entails or how to resolve it until after an attack has occurred.

What size of company should implement bug bounties?

Public bug bounties, in general, should only be implemented by organizations with mature security and secure development programs (including the remediation of vulnerabilities reported from the outside world). Private bug bounties and crowdsourced security can be used to the advantage of organizations of any size. VDPs are similar in terms of the importance of remediation and vulnerability ingestion on the receiving side but are something I'd consider as a "must-have" for organizations of any size - They are Neighborhood Watch for the Internet, and the Internet, unfortunately, is a bad neighborhood.


The decision of when to implement a bug bounty program will vary by company and industry. However, an organization can never be too early to the party when it comes to securing its own assets. Once there is something worth protecting, companies of any size should consider up-leveling their security regimen — whether that means adopting a bug bounty program or leveraging external security experts to weigh in. This will be critical in the long-term, as organizations will greatly benefit from securing their attack surfaces early on, specifically prior to achieving major growth on a national or global scale. Business leaders and IT teams should work closely to determine the best timeline for launching their own bug bounty program. What are the benefits of having a security team in-house vs. outsourced?


An in-house security team has the upper hand in terms of understanding an organization’s business processes, decision-making, and industry-specific pain points. On the other hand, outsourced or external security researchers can provide an outside perspective into the types of vulnerabilities and attack surfaces that an adversary would typically prey on, and help identify those within an organization’s programs or systems. A bug bounty program paired with an internal security team combines both of these benefits, as its approach allows internal security teams and external security researchers to collaborate in order to refine an organization’s cybersecurity posture and uplevel its security best practices.


While speed is the natural enemy of security, the best way to improve your organization’s security posture and defeat attackers are by thinking like one. Even organizations with in-house security teams can benefit from the help of external security researchers. For example, having a VDP has allowed organizations, such as Google, to quickly address a vulnerability and avoid potentially detrimental database exposures or breaches for some of the most popular apps in the Android app store.


The relationship between internal and external security teams can be further augmented through the use of crowdsourced penetration testing, which enables external security researchers to continuously test and monitor an organization’s programs and systems for vulnerabilities. As a result, organizations and their digital assets will be able to remain agile, even as they scale over time.


###