Bug Bounties: Efficient Security Strategy or Empty Hype?

Security is expensive. It requires highly specialized tech pros and pricey software. But a lack of security is expensive, too: One data breach can destroy a company.

Thanks to the complexity and expense of security, more companies have turned to bug bounties as a way to ferret out the dangers in IT infrastructure. On the surface, inviting thousands of people to poke at your code makes a lot of sense: The more eyeballs, the better—and paying out a couple thousand dollars to squish some mission-critical bugs is a substantial savings over paying another security expert a six-figure salary.

However, a recent paper from MIT, “New Solutions for Cybersecurity,” suggests that companies that rely too heavily on bug bounties put themselves at substantial risk. Simply put, the vast majority of people poking at the code aren’t skilled enough to figure out the vulnerabilities; it’s always a few elite white-hats who find what’s wrong.

The paper’s authors came to that conclusion after studying 61 bug bounties hosted by HackerOne, including ones for major firms such as Square and Twitter; it also threw in a similar bug-squishing effort hosted by Facebook.

“The top seven participants in the Facebook data set averaged 0.87 bugs per month, earning an average yearly salary of $34,255; slightly less than what a pest control worker makes in Mississippi,” read a posting on the Trail of Bits blog that broke down the results. “It gets worse for the top six earners from the HackerOne data set. Averaging 1.17 bugs per month, they earn a yearly average of $16,544.”

What does this mean for tech pros interested in security? First, making a freelance career out of bug bounties probably won’t prove very lucrative. Second, finding those truly mission-critical bugs clearly takes quite a bit of skill—you need education and experience in order to deliver useful results.

When it comes to security, it’s clear that bug bounties are only one part of a potential solution for companies. In fact, given how bug bounties restrict the systems that the crowd can explore—you’re not going to give the Internet access to every part of your infrastructure—it might prove more effective for companies to simply hire skilled security consultants if they don’t want to enlist full-time employees. (That is, unless the company is hosting the bug bounty at least partially as a marketing effort.)