Bug bounty programmes: benefits and challenges

by Antonios Marnelis - Cyber Security Consultant
| minute read

From Microsoft and Apple to Google and Facebook, from the European Commission to the US Department of Defense: all of these companies and organisations have at one time or another invested in a bug bounty programme. And many continue to do so today. The reason, as I explained in a previous post, is clear and simple: there are major benefits to integrating such a programme into your application security testing strategy.

Through a bug bounty programme, companies and organisations offer financial or other rewards and incentives to external people, usually ethical hackers, for finding and reporting software bugs that could lead to severe security exploits and vulnerabilities. As a preventive security measure, it helps those companies and organisations to proactively discover and resolve security bugs before the outside world is even aware of them.

As with any other application security testing activity, implementing a bug bounty programme offers some clear benefits. However, it also poses a number of potential challenges. Let’s have a quick look at both here.


Collective research expertise

Bug bounty platforms are accessible to literally thousands of security researchers from all over the world, with expertise in many different technologies and attack vectors.

Unlimited resources and duration

A bug bounty programme may accept security reports for as long as the company or organisation decides to keep the programme alive and active. Obviously, investing more time in security testing can also result in identifying more weaknesses.

Strong incentives for researchers

Based on the bug bounty programme, security researchers may be rewarded with thousands of euro and/or given recognition for identifying and responsibly disclosing critical security vulnerabilities.


Overcharging the internal security team

Many false reports can be expected to end up for analysis by the internal security team, adding a sometimes excessive workload to an already overcharged team of experts.

Limited to black-box and grey-box approach

Most often companies choose black-box or grey-box testing in their programmes, to avoid disclosing further information about their applications to the public. As a result, more effort will be required from the researchers in order to identify security weaknesses.

Costly to maintain in the long run

Less mature applications may get many valid security reports, resulting in high payouts to the researchers. Also, bug hunting takes place in the very last stages of the Software Development Life Cycle (SDLC). As a result, the costs for resolving the identified weaknesses may be very high.

Towards a modern DevSecOps approach

Integrating advanced application security concepts, such as bug bounty programmes, into your existing Software Development Life Cycle (SDLC) is an extremely demanding and complicated challenge. The plain fact is that application security does not allow for a single, simple solution, since different companies and organisations have different application environments. Therefore many different factors need to be weighed in your decision process.

We recommend that you invest first in identifying the weak areas within your current DevSecOps model and practices. Then you can work towards enhancing those areas in your application security programme.

By providing specialised application security services, Sopra Steria can assist you in establishing and maintaining a modern DevSecOps approach within your organisation. My colleagues and I will gladly discuss your specific challenges and look for tailor-made solutions. Contact us today.