Can Bug Bounty Programs Replace In-House Testing?
Bug bounty programs have entered the mainstream in recent years. Google and Mozilla have long been noticed for the extent and success of their initiatives—Google awarded twenty-eight thousand dollars after the release of Chrome 34, which featured nineteen critical fixes, and Mozilla recently announced that it would dole out ten thousand dollars for exploitations of certificate verification in Firefox 31—but bug bounty programs are becoming increasingly common among individual developers, too.
Some small businesses, perhaps taken with the apparent success of these programs, have begun offering cash rewards for vulnerabilities. But before implementing their own programs, enterprises should answer a couple of important questions:
- Should every enterprise adopt a bug bounty program?
- Should the in-house testing be replaced with crowdsourced testing?
Let us look at each of these questions and check their feasibility.
Should every enterprise adopt a bug bounty program?
Personally, I do not believe a bug bounty program is for everyone. There are many challenges involved in opening up a product to the outside world. One risk is exposing the trade secrets or vital product features to competitors.
Even more important is the danger of being vulnerable to hackers. Nowadays it is extremely easy to reverse engineer an application and understand the design and architecture behind it. Hackers could exploit the weak points of a product and, in turn, cause havoc for the entire company. Just imagine a publicly listed company going down this path.
An organization trying to utilize a bug bounty program should be extremely cautious about what gets exposed and do a risk assessment before employing this technique.
Should the in-house testing be replaced with crowdsourced testing?
Even though there is value in utilizing the “wisdom of the crowds,” it should be done with a bit of thinking. Crowdsourced testing works well with open source products, but with commercial applications, the company should ensure it meets minimum quality criteria. It would be embarrassing for the company if it exposes untested products or features to the outside world. Instead of helping, this process could hurt the prospect of the product sale.
While bug bounties can incentivize programmers to uncover hard-to-spot vulnerabilities, they cannot take the place of assiduous quality assurance and test management strategies.
Here are some recommended steps for enterprises thinking of adopting a bug bounty program:
- Have a robust quality assurance and test management tool or strategy in place.
- Test the product thoroughly in house.
- Identify the features by carefully evaluating the vulnerabilities and competitor landscape.
- Build a good user base. They could be used as a platform for building loyal users for the future, as well.
Do you think it’s worth embracing bug bounty programs? If you’ve participated in such a program, what benefits and challenges have you seen?