Amid bug bounty hype additional ways to make money, sometimes security is left in the dust threatpost

Bug bounty programs continue to gain traction. A recent study from vpnmentor shows that there are more additional ways to make money than 700 programs just this year. In fact, a 2018 hackerone report shows that adoption of bug bounty additional ways to make money programs in north america has surged 37 percent since last additional ways to make money year. Latin america is the region with the largest adoption of additional ways to make money bug bounty programs, with an increase of 143 percent year over year.

But, as the bug bounty program landscape flourishes, security experts worry that some – like the EU did – are focusing too much on glitzy PR concepts and not additional ways to make money on their own security. Moussouris and others argue companies are placing too much emphasis additional ways to make money on payouts for specific bugs and not enough on the additional ways to make money underlying issues that facilitate the bugs in the first place. Too little focus on root cause

For the EU, its recently-launched bug bounty program was a reaction to the heartbleed additional ways to make money vulnerability. The fear was the 2014 openssl heartbleed bug was symptomatic additional ways to make money of larger problems. They worried other insecure open-source libraries were being used on who knows how many additional ways to make money EU websites and workstations. A bug bounty program would help them get a handle additional ways to make money on the problem.

“if nothing changes and bug bounties are the only way additional ways to make money to spend money on open source, this will fizzle out as there isn’t going to be a massive return on investment,” he said. “the project maintainers are already overworked, they don’t need a bunch of new bugs to fix…resources shouldn’t always be money [spent on bug bounty programs]. Sometimes money helps, sometimes what’s needed is gear and sometimes maybe it’s pizza. An organization like the EU has money, they need help turning that into something useful to an additional ways to make money open-source project.”

Beer said that each vulnerability found should be a lesson additional ways to make money where a security lead needs to ask: “why is this bug here? How is it being used? How did we miss it earlier? What process problems need to be addressed so we could additional ways to make money of found [the bug] earlier? Who had access to this code and reviewed it and additional ways to make money why, for whatever reason, didn’t they report it?” what about the bug hunters?

“sometimes, the marketing department of a company will come up with additional ways to make money an initiative to pay an outrageous sum as proof of additional ways to make money their security,” a full-time information security professional and part-time researcher who goes by the moniker “chudel” told threatpost. He said companies foolishly challenge the white hat community with additional ways to make money offerings like a $100,000 dare to anyone that can hack a company asset.

“this can be problematic because bounty programs may also include additional ways to make money detailed terms and conditions stipulating that researchers can be punished additional ways to make money for sharing reports with third-parties without express permission from the vendor,” he said. “this effectively allows vendors to use bug bounty programs to additional ways to make money silence researchers while they drag their feet deciding how to additional ways to make money proceed. The result is that researchers may need to decide between additional ways to make money getting paid and actually helping people be protected from attack.” future of bug bounty

“the only challenge is the hunt for the bug and additional ways to make money the difficulty in finding them, and we always find them,” marten mickos, CEO of hackerone, told threatpost in a recent interview when asked about concerns additional ways to make money that companies are relying solely on bug bounty. “everything else is manageable and can be handled, there are always detractors who will say that this or additional ways to make money that is not working. It’s not true.”

Casey ellis, founder and CTO of bugcrowd, said that it’s important for firms to recognize the logistics of public additional ways to make money bug bounty programs “beyond the press release” – such as company’s ability to ingest reports coming in from the program, or their ability to actually remediate issues. One way they can do so, he said, is by first engaging a trusted, curated subset of the community in a private, more controlled bug bounty program.

Ellis concedes the industry suffers from multiple interpretations of what additional ways to make money constitutes a bug bounty program – for instance, some firms view bug bounty programs as a way to additional ways to make money merely find bugs in their products, while others might be smarter with how they handle their additional ways to make money programs and view them as an opportunity to hire talent additional ways to make money or improve vulnerability disclosure processes.

“that in house expertise, that’s really what people need to build in terms of additional ways to make money long term sustainable security,” she said. “you’re never going to be able to outsource your bug additional ways to make money hunting completely. That’s the most inefficient way to find bugs, is after it’s already out there, after the website is up, or the software is released, or the product is released, and asking a bunch of internet people to help you additional ways to make money secure it.”

RELATED POSTS