• Viraj Malaka

Why your organization needs to pay the Hackers

Bug bounty programs needs to be encouraged more to secure your organisation through white hack communities. It's effective, fast and cost efficient.

Today most of the major tech and non-tech companies are adopting to a bug bounty culture. They seek the expertise of security professionals to find major and minor security flaws in their software products or services. This has enabled a cost-efficient path to organizations to “Get s**t done” without hiring anymore employees which is a major plus side for every company. Meanwhile, this culture also gives security professionals to find some extra cash on the side. Although some security professionals do the “bug bountying” as a living most of their expectations are to make the cyber space a safer place. There are many bug bounty platforms such as Bugcrowd, Hackerone where they have enabled both organizations to host their products to be tested and Security Professionals to sharpen their talents.

"We need hackers, Our goal must be an internet that enables privacy and protects consumers. This is not achievable without ethical hackers taking an active role in safeguarding our collective security. Hackers are truly the immune system of the internet," -

Marten Mickos, CEO of bug bounty platform HackerOne

What is a bug bounty?

Bug bounty is simply a reward which can be monetary or non-monetary, given to security researchers who disclose software flaws or more commonly known as “Bugs” on a software, online application, mobile application, etc. Organizations give the chance to security researchers to simply “hack” ethically to find security loopholes in their product or services. But, all the “hacking” can be done only within a given scope which the organizations have the freedom to define.

Most of the tech giants like Facebook, Google have their own bug bounty programs which the researchers can report their finding directly to the responsible parties. Meanwhile other organizations still can have a bug bounty program by hosting their products or services in public bug bounty programs like Bugcrowd, Hackerone, etc.

The main goal of a Bug bounty program is to improve the security and quality of the product or service and give a better user experience to the customer with a minimum cost.

Why minimum cost?

Yes, by having a bug bounty programs organizations can improve their products or services without incurring costs like hiring professional, consultancy services, etc. Simply they can get their work done by willing security researches who are full time on bug hunting and having more eyes and viewpoints on something is always a good thing.

What about Sri Lanka?

Although some major Sri Lankan based tech and non-tech companies have their own bug bounty still some organizations consider researching and reporting security flaws of their products or services a criminal act and an abuse of the product or service. The culture of hearing to the end users’ opinion has not yet been established in Sri Lanka.

Yes, organizations can have well qualified security professionals on duty to find security flaws but end of the day the product or service will be used by the end users. End users can have many viewpoints towards the product or service and they may accidently find a security loophole in the product or service, there should be proper channel to report a security flaw. At least an email address to report the incident. More than half of the tech companies doesn’t have a proper channel to report a security vulnerability. Even if they have proper channel, they tend to ignore such report.

Not having a public bug bounty program will affect the quality of Sri Lankan software products and services in international markets because security is a key aspects in the field of information technology.

What should be done?

There were some talks about establishing a public bug bounty in Sri Lankan government web sites and databases back in 2017.

  • Why limiting to government web sites, a public bug bounty program should be established that will be open to all small to large organizations.

  • Individual organizations can open a proper channel to address vulnerability reports from security researchers.

  • Proper appreciation mechanism should be established such as a hall of fame, monetary rewards, appreciation gifts, etc.

Viraj Mahanama

69 views0 comments