Petr Smolník, editor-in-chief of AVERIA.NEWS, asked Pavel Luptak, co-founder of Hacktrophy and CEO of Nethemba, about what a bug bounty program is, how it works and what the current trends are.
Hello Pavel, tell us in a broader context what a bug bounty program is, please. When and where did it originate and what is its role in today’s world?
A bug bounty program is a community platform that connects customers or owners of web or mobile applications (or other systems) and hackers, including traditional security testers – so-called ethical hackers – who search for and report security flaws found in these applications. The Hacktrophy program then defines clear rules of cooperation for both parties. If the so-called ethical hacker follows all the rules and finds and reports a security vulnerability, the customer pays him a predetermined reward for this finding.
The operator of the bug bounty platform is usually responsible for verifying the validity of the finding, whether it is indeed a real vulnerability or not. He also mediates and facilitates the communication between the technical hacker and the (non-technical) customer.
The first bug bounty program was established in 1983 in the USA and consisted of reporting problems with the Volkswagen Beetle.
Today, there are several operators of bug bounty programs around the world and they are among the key elements that help in security testing and improving the security of applications and networks. These services are commonly used mainly in North America and the western part of the EU.
What is the state of using these programs in the EU today, and specifically in the Czech Republic and Slovakia? How many companies are using these programs?
In the EU, bug bounty programs are commonly used, especially in Western markets. As with other processes and services, they were first developed there. Later they came “east”. Companies are learning to use these programs gradually. These programs evolved from the information commercial companies provided on their own websites to customers, inviting them to report a bug that occurred while using the system or products. Today, more and more companies have a similar prompt on their websites. They are asking to report a “vulnerability” their customers have found, for example, via an email such as “security@…”.
Most of the time only customers see this prompt, but the cooperation with the bug bounty platform develops this quite a bit. This way, the disclosed project can reach not only customers, but also a greater number of ethical hackers.
There are already companies in the Czech Republic and Slovakia that work with bug bounties. They are not many, rather few, but the needs and demands of a growing clientele are increasing.
What is the near future in cybersecurity and what are the opportunities for companies to use these programs?
Personally, I see the biggest shift in artificial intelligence, which can already look for sophisticated security flaws directly in the source code (for example, in so-called smart contracts). It can also write its own malware or exploits. That is something we couldn’t have imagined just a few years ago.
Of course, it’s still quite raw and real testers and ethical hackers on bug bounty platforms are still irreplaceable. Motivated by the rewards, they provide the services of a large number of security testers.
The necessity to use a bug bounty program is already stated in the security policy of many companies in the western EU, and so it is becoming a requirement in the Czech Republic and Slovakia as well. The advantage of bug bounty is beginning to be perceived and will certainly be used by companies in the central EU for their own security.
Using the services of a hacker for a realistically determined reward, defined by the company itself, is a great idea and a defense against real “hacking” by the so-called black hat hackers. Exploiting vulnerabilities or posting them on the “dark web” can cause significant problems – being hacked, stolen data, causing some kind of malfunction, large financial costs connected with fixing systems, and failing to comply with potential legal requirements. Losing trust of customers and partners can also cause significant damage.
Penetration testing is great before a system goes live. A bug bounty program, on the other hand, is a great way to maintain security during operation.
And that’s the point!