Publishing software is a risky prospect. Competing priorities push well-established brands and startups alike to release more software on an increasingly accelerated schedule.
When a website or application is released on the Internet, it is an unfortunate but foregone conclusion that attacks will immediately commence and continue indefinitely. Given the commonality of real-world security flaws and third-party attacks, any program that solicits users to report issues must be carefully crafted, with clear guidelines and expectations. In many ways, creating a bug bounty is the smart and logical move. The CISO knows the web application is getting attacked anyway.
Success in defending it is time-based: find and fix the holes before malicious parties discover them. The bug bounty is an opportunity to offer an incentive for reporting the flaws instead of exploiting them for profit. However, it would be a mistake for the unprepared organization to use a bounty impulsively or as a first step. In the past, bounties offered hackers a win-win: permission to indulge otherwise harmless hacking and exploration as long as a few rules were followed and any bugs discovered were reported. The reporting process between bug hunter and corporation hasn't always been a smooth one, but things have changed. The bug bounty process became organized and standardized. Bug bounty platform providers (BBPPs) emerged.
Bug bounties are becoming accepted as a normal part of the software development lifecycle (SDLC). BBPPs help guide companies toward more secure software and help ensure fair treatment for the researchers and hackers reporting vulnerabilities. Are bug bounties for everyone, though? We explore the answer to that question and many others
When a website or application is released on the Internet, it is an unfortunate but foregone conclusion that attacks will immediately commence and continue indefinitely. Given the commonality of real-world security flaws and third-party attacks, any program that solicits users to report issues must be carefully crafted, with clear guidelines and expectations. In many ways, creating a bug bounty is the smart and logical move. The CISO knows the web application is getting attacked anyway.
Success in defending it is time-based: find and fix the holes before malicious parties discover them. The bug bounty is an opportunity to offer an incentive for reporting the flaws instead of exploiting them for profit. However, it would be a mistake for the unprepared organization to use a bounty impulsively or as a first step. In the past, bounties offered hackers a win-win: permission to indulge otherwise harmless hacking and exploration as long as a few rules were followed and any bugs discovered were reported. The reporting process between bug hunter and corporation hasn't always been a smooth one, but things have changed. The bug bounty process became organized and standardized. Bug bounty platform providers (BBPPs) emerged.
Bug bounties are becoming accepted as a normal part of the software development lifecycle (SDLC). BBPPs help guide companies toward more secure software and help ensure fair treatment for the researchers and hackers reporting vulnerabilities. Are bug bounties for everyone, though? We explore the answer to that question and many others
Click here
Download the file below
Comments
Post a Comment