Why launch a bug bounty program?

- [Instructor] So why a bug bounty program? To answer this question, let's look at a great example of a successful bug bounty program, Hack the Pentagon Project by the U.S. Department of Defense. When the initiative started in 2016, the scope was limited to only public-facing DoD websites and applications. But today, the program has expanded to include all DoD's publicly accessible network, IoT devices, industrial control systems, and many more. Since the launch of DoD's bug bounty program, they have received over 29,000 vulnerability reports with more than 70% of them determined to be valid. So a bug bounty program can be extremely effective, especially if you have a large number of users or customers using your product or services over the public internet. Let's identify how you can benefit from a bug bounty program and what are some pros and cons. Let's start with the pros, first, it's cost effective. You only pay for what you see. That means you have the flexibility to define the monetary reward depending on the severity of reported vulnerabilities. Second, you get continuous pen testing at a large scale. So many security researchers are testing your application in real time, as opposed to third-party scoped pen testing engagements. And third, bug point helps you in identifying potential gaps and blind spots. As you know, most applications these days are complex, and have lot of dependencies on other application or infrastructure. This complexity can introduce some gaps that might be difficult for your internal team to figure out, bug bounty can help uncover some of those areas. These are just a few example of pros, and there are many more that largely depends on your business area and particular situation. Now let's move on to the cons list. Bug bounty testing can be less comprehensive sometimes. Since the searches are largely driven by monetary compensation, it's fair to assume that they want to test for the highest paying vulnerability category, such as remote code execution, authentication, or authorization issues, this results in making the overall testing less comprehensive. Another drawback of bug bounty program is effectively managing the program. You might have to deal with a large number of false positive reports, award any miscommunication, and often have to deal with disagreements and pushbacks from researchers. The last con on this list is managing requirements and resources. For instance, you might need security experts on your team to triage and understand the bug reports and communicate them to engineering teams. You would also have to navigate any budget constraints and approvals. Depending on the number of valid reports you get, the budget could go up or down over time. Overall, identifying the right balance between justifying the cost and the value you get from the bug bounty program is the key. This could vary depending on your company's size, security maturity stage, and the type of business and industry you are in.