_edited.png)
Often translated into French as "prime au bogue" or "bounty for the detected flaw", the bug bounty appeared in the 90s within Netscape Communications Corporation. Well known to large companies such as Tesla or Apple, as well as to the GAFAMs (Web giants: Google, Apple, Facebook, Amazon, Microsoft), bug bounty is a method of granting a monetary reward to anyone who finds one or more security flaws in a defined computer programme.
Because of its principle, more and more companies and hackers are falling for this approach. Indeed, the researcher (hacker) is paid for the flaw discovered. And the more critical the flaw, the better documented it is, with a quality report, detailed countermeasures, etc., the higher the reward. A certain guarantee for the company as to the seriousness and motivation of the hacker for his research work. And no unnecessary expenses, since if the hacker finds nothing, the company will not have to pay a single cent.
But how do you find the right person? How can we be sure that we are dealing with honest hackers (white hats or ethical hackers) and not malicious hackers (black hats)?
In order to allow companies and hackers to meet each other, platforms regrouping communities of professionals and enthusiasts have been created. In order to join as a hacker, several selection systems can be set up. For YesWeHack, the first European leader, for example, it is necessary to accept the platform's terms of use, which include a confidentiality clause, while in order to join Yogosha, another French platform, it is necessary to go through a selection process that includes passing technical tests and verifying the applicant's identity.
Companies therefore have a certain guarantee concerning the motivation and seriousness of the people they will be working with. And on the hackers' side, they join a community, have access to dojo challenges, training, documentation, etc., as well as help from the structure if a problem arises with the clients. Indeed, even if large companies take the reporting of vulnerabilities very seriously and do not hesitate to pay the people who discover them handsomely, this is not necessarily the case for smaller companies. Sometimes, some of them try to minimise the criticality of the vulnerability discovered so as not to have to pay too much. It is in such cases that the platforms take on the role of mediator between the hacker and the company.
Bug bounty and pentest, what are the differences?
As mentioned above, for bug bounty, the company works with hackers or a hacker organisation (such as the platforms) and only pays for the flaw found. The time spent searching is not taken into account.
Pentesting is the opposite. The company works with a cybersecurity expert specialised in pentesting who will be paid for his work in searching for vulnerabilities, regardless of the result. The remuneration will also take into account the exploitation of the vulnerabilities if they are found and the writing of a report.
Bug bounty or cybersecurity audit?
As with all subjects, opinions differ. Some will say that a bug bounty is more effective than a cybersecurity audit because professionals and/or enthusiasts will do everything they can to find vulnerabilities, whereas an audit does not guarantee results.
Others will say that there is nothing better than a white-box audit in which the experts will have access to the entire system, programs, organisation of the company, etc. and will therefore be able to see all the vulnerabilities. They will therefore be able to see all the vulnerabilities that may not have been exploited during a bug bounty.
Indeed, the bug bounty focuses on the discovery of flaws within a defined cyber-space, whereas the white-box audit can focus on a defined cyber-space as well as on an entire information system, which may include the company's physical security. During a white-box audit, the experts will have access to all the information concerning the perimeter to be tested, which is not the case for a bug bounty. Unsecured internal communication, freely accessible servers and USB ports, and the entire information system can be compromised, including programs that can be modified by malicious persons in order to take advantage of them during distribution, for example.
The bug bounty can therefore, for example, discover vulnerabilities in a program, but will not be able to know the risks of everything around it, which jeopardises the integrity of the said program.
White-box auditing and bug bounty are therefore not carried out in the same way, simply because they are different. Nevertheless, it can be interesting to combine the two in order to have a maximum security, because of their complementarity !
Related blog posts:
Did you enjoy this blog post?
Find more content related to cybersecurity and GDPR regulatory compliance on the CyberSecura blog!
We need your answers!
By completing this survey, you are helping us to better understand your interactions with our site and your potential needs.
Your answers are anonymous, and unless you ask to be contacted again by our teams, no personal information is requested!
Thank you for your responses!
Would you like to be informed of our news and receive our latest blog articles directly in your mailbox ? Subscribe to our monthly newsletter!
Would you like to discuss your difficulties, your needs, our offers ? Ask to be contacted, free of charge and without obligation, by one of our cybersecurity experts !