Inviting people to find flaws in your system might sound crazy. But who would you rather discover a bug: someone working for you, or against you?
Bug bounties. The idea turns some folks' stomachs. Invite people to break into your system and steal things and then when they do reward them?
Well, yeah. You want people finding these cracks and telling you about them before someone with bad intentions does.
SEE: Free ebook—17 tips for protecting Windows computers and Macs from ransomware (TechRepublic)
Here are five reasons to start a bug bounty program:
1. More eyes than you could ever pay. When you open it to the crowd, you get a lot more people looking over your system than you could ever hire. And you only pay the ones who find problems.
2. Building it right the first time is a myth. The best developers in the world still leave unexpected vulnerabilities open. You can dream of bulletproof code, or you can be prepared in case your dreams don't come true.
3. It can save you money. Breaches are expensive to recover from. Way more expensive than a few thousand dollars for a bounty. Plus some bugs involve eliminating pricing problems or unearned discounts.
4. It's not a crazy new thing. Little companies like Google, Facebook, Microsoft, Mozilla and PayPal all have bug bounties, so you won't have to do a ton of explaining to bug hunters. They know the drill.
5. You don't have to do it all yourself. HackerOne provides a hosted bug bounty platform where you can define parameters eligibility and rewards. Similar services are also available from Cobalt and Bugcrowd.
See? There's no need to be afraid of the bugs. Embrace the bugs! Well not the bugs, but the bug hunters!
Ready to get started on the road to a more secure system? Check out Scott Matteson's article on how to develop a bug bounty program.
- Worried about attacks? Maybe you're not getting hacked enough, report finds (TechRepublic)
- How the DoD uses bug bounties to help secure the department's websites (TechRepublic)
- Report: 10 trends in application security that will impact your cyberdefense strategy (TechRepublic)
- Atlassian launches public bug bounty with Bugcrowd (ZDNet)
- At $30,000 for a flaw, bug bounties are big and getting bigger (ZDNet)