The vast majority of bugs found via bug bounty programs are cross-site scripting [XSS] bugs, a known class of bugs that are easy to detect, and easy to fix.
“Why would organised crime or nation-states pay for simple classes of bugs that they can find themselves? They’re not going to pay some random researcher to tell them about cross-site scripting bugs,” Moussouris said.
Amen! I want to hand out tee shirts with a snappier phrase to organizations.
“You should be finding those bugs easily yourselves too.”
Moussouris is a huge supporter of bug bounties, having run both the Hack the Pentagon and Hack the Army programs for the US military. But she says that relying on a public bug bounty program just creates the “appearance of diligence”.
“This is not appropriate risk management. This is not getting better when it comes to security vulnerability management,” she said.
Moussouris told the story of one security researcher who’d made $119,000 within four hours in a bug bounty program. That’s more than $29,000 per hour to find simple bugs in a known class.
“That’s a great ROI [return on investment] for that researcher. It’s a terrifying ROI for the organisation that paid him,” she said. …
Simple bugs can be found way, way more cheaply.
Bug bounties are a tool, but only one tool. And it’s a game, so people will look to take advantage.
Then there’s the eternal problem of basic cyber hygiene. Moussouris says we “struggle as an industry” to deal with the last-kilometre problem of actually applying the patches.
“A lot of the patterns [have] not actually shifted that much from where we were when I started out professionally 20 years ago as a penetration tester,” she said.
“We’ve created a $170 billion industry, which, we’re really good at a few things, security not exactly being one of them. Marketing, definitely.”