What is a bug bounty program?

In simple terms, a bug bounty program is a scheme whereby individuals (commonly referred to as “ethical hackers”) are rewarded (in kind and/or by way of recognition) for reporting bugs in third-party systems, especially those pertaining to security vulnerabilities.

The goal is to allow the developers to discover and fix security vulnerabilities before they are detected and exploited by malevolent parties. Bug bounty programs have been implemented by a large number of organizations worldwide and have become a mainstream tool of cyberdefense.

In Iceland, Defend Iceland was established as the nation’s first bug bounty program.

Why take part in a bug bounty program?

  • If for example your organization runs a website or an online app, then you will definitely want to test its security to make sure that it cannot be hacked easily, or suffer a data breach.
  • In the online world, everyone is a target. From the moment your systems are exposed to the Internet, they will be probed and attacked. Inviting the good guys to take a look at your systems can greatly reduce the odds that bad guys will cause damage later.
  • A security incident such as a ransomware attack could have devastating consequences in terms of: data loss – disruption of business activities – exposure of personal information – regulatory fines – legal liability – tarnished corporate reputation – remediation costs – unrealized growth potential.
  • In extreme cases, a cyberattack can lead to bankruptcy and costly legal proceedings.

Benefits

  • Cost-effective: you pay only for discovered flaws, and the reward paid is in line with the severity of the identified flaw
  • Flexibility: you set the rules and specify the “assets” that are in scope (what the bounty hunters are allowed to do and what they are allowed to test)
  • Proactive defense: let cyberdefenders guard your perimeter around the clock
  • Diversity of talent: since all platform members are eligible to probe your systems, you’ve got more eyeballs on your systems, and you are not tied to the service of one specific individual
  • Awareness: being part of a bug bounty program fosters a strong IT security culture inside your organization and improves your overall security posture
  • E-reputation: having a vulnerability management in place demonstrates your commitment to security and safeguarding the data of your customers

Who is on board?

Leading institutions across the country have already joined Defend Iceland, among which: Arion banki – Íslandsbanki – Kvika – Landspítali – Landsvirkjun – Reiknistofa bankanna…

Downsides and limitations

So far we have painted a fairly enthusiastic picture, but we need to consider a few things too:

  • There is considerable uncertainty in terms of financial compensation for bounty hunters, since they could spend countless hours (and nights) without turning up a single exploitable flaw. No cure no pay, remember.
  • Bug bounty platforms are in general fairly open, and not all applicants are highly experienced. There is no guarantee that you will get cutting-edge service at all times, or that enough individuals will devote any meaningful time to you.
  • Bounty hunters are volunteers, and to keep them motivated there has to be adequate compensation for reported flaws, especially those that could potentially cause costly damage to your organization. We all have bills to pay, and cyberdefenders are no exception. If you want to attract talent, then make it worthwhile for them to take part in your program.
  • A bug bounty program is no substitute for a fully-fledged security assessment of your systems. If you require a dedicated and extensive security audit, consider hiring a specialized IT security consultancy instead. Use bug bounty programs as part of your continuous defense.

Conclusion

Make no mistake, if your website or online app has any exploitable flaws, someone will ultimately find them sooner or later, to your disadvantage. Security should be part of your corporate DNA and not a mere afterthought.

Sadly, the vast majority of cyberincidents could have been prevented, because they do not rely on novel attacks but on known hacking techniques that have been used over and over previously.

Don’t wait until it’s too late, let the experts secure your business and your assets.

Disclaimer: Darknet ehf does not have a direct stake in Defend Iceland but has personnel registered on the platform. We support all initiatives that promote healthy IT and contribute to a safer society.