3 reasons why it is beneficial to have a bug bounty program – from a small blog to a corporate website

Hacktrophy - bug bounty program – od malého blogu po firemní web

Many people see security as an expensive matter. Not every company can afford regular penetration tests—the deep, systematic security tests performed by ethical hackers, aiming at discovering security vulnerabilities on your website, in your infrastructure or application.

However, like many other things, security isn’t binary either.

Reason #1: It’s expensive to have an unsecured website

Even though many people see that solving security and paying ethical hackers are extra costs, not having a safe web and infrastructure also costs something. A hack is not just a reputational risk, it means direct expenses that can’t be avoided.

A hack must be solved

If you own a website and someone replaces it with a hacked version, which is either another website or contains a malicious code, it’s necessary to pay the people who find out what happened, how the website was changed, and also to fix the hole, through which the hackers came in. Even in the simplest variant, which is website recovery from the backup, you need to identify the vector of the attack and fix the hole, otherwise your website will be hacked again in a couple of hours. If the backup can’t be recovered (e.g., when the data is changing more often), it’s necessary to find actual data. In most cases, this kind of work is more complicated and expensive than paying hackers for discovery of security vulnerabilities.

Some attackers demand a ransom

A category of malicious code known as “ransomware” encrypts your data and enables your access to it only if you pay a ransom. Many kinds of ransomware also encrypt data at the time of backup, so a backup is also useless. The ransom may amount to thousands of euros (most often paid in Bitcoin or Monero cryptocurrencies). However, the problem doesn’t end here. You need to decrypt the files and identify how the malicious code infection happened at all.

Personal data leak

If you have personal data or money stored in your system, you are liable for damage and in addition, several penalties are applied to you under the GDPR. Even though the best strategy is not to have personal data, it isn’t always possible (for example, an online shop, which delivers its orders, needs to know the customer’s address).

Reason #2: Security isn’t static

Your developers may claim that you’re all safe. You’ve got updates, firewalls, antiviruses, you’ve paid for security products, so you should be fine. Maybe you have also paid for a penetration test. But security is dynamic and new security vulnerabilities are being discovered regularly. What was safe three months ago may have now as many holes as the popular French cheese. That’s why you need a bug bounty program solution, which identifies the vulnerabilities and helps to remove them continuously.

Reason #3: Even in security, you can improve

Hacktrophy logo…and this improvement doesn’t have to be expensive. New standards for DNS protection, fight against e-mail spoofing and spam or encryption come on the market regularly. You can follow them, or you can put a bounty for everyone who finds out that your security isn’t up to date. Bounties for non-critical vulnerabilities can be as low as a couple of dozens of euros.

A small website or a big one – security always pays off

Of course, we apply Hacktrophy to Hacktrophy itself. But Hacktrophy founders use it in their own projects as well. Security companies like Citadelo, Nethemba, or ESET use Hacktrophy services, so that they won’t miss anything and stay protected at all times. Hundreds of pairs of ethical hackers’ eyes driven by rewards can see more than one perfectly skilled security expert.

Juraj Bednár, Hacktrophy co-founder, applies Hacktrophy even on his personal blog. Despite being an IT security expert, hackers continuously help him improve the security. The price of not solving security is higher than the small number of bounties he’s had to pay so far. He wrote an article about his experience.