You can also use bug bounties strategically, for example to get the systems of a new acquisition up to the same level as the rest of your business, once you’ve worked through your own integration processes. “Use a bug bounty for a specific period of time to shake out as many more bugs as possible,” Moussouris advises.
When Microsoft introduced its first bug bounty for Internet Explorer 10, it was because it was having difficulty getting researchers to report bugs during beta testing (because the only reward offered was being named in a security bulletin and bugs fixed during the beta cycle didn’t usually get announced in a security bulletin, that inadvertently gave researchers an incentive to wait and disclose bugs later). The bug bounty program offered recognition and a small cash reward and it was targeted, explains Moussouris. “It was a huge efficiency win for the engineers because they were all working on the exact version of the browser they were getting bugs for.”
Not only did they get relevant bugs, they also got reports that revealed underlying problems they were able to find and fix as well. “That’s what you want to use a bug bounty for,” emphasizes Moussouris. “You don’t use it to replace any parts of your existing security efforts; you use it to fine tune and hone the process and get the kinds of bugs you want in areas you want.”
Moussouris urges every business to, at the very least, set up a way for security researchers to tell you about problems. “Hardly anyone is even doing vulnerability disclosure. If you have customers, you’re going to set up a customer response system. If you have code, why not set up a vulnerability disclosure system?” After all, the researchers who want to tell you about your vulnerabilities won’t be the only people who can find them.
This story, "Why you need a bug bounty program" was originally published by CIO.