Bug Bounty Budget: An expense? No, an investment!

According to a study carried out by the auditing firm Deloitte, purchasing
managers have pinpointed two priorities for 2020: expense reduction (70%)
and risk management (50%). However this second priority often requires
further investments in order to increase companies’ resilience. The Bug
Bounty approach leads to a reduction in possible risks, a priority also cited by
general directors across multiple sectors, demonstrated by the 2020 report
from the World Economic Forum regarding global risks and the anticipated
increase in cyberattacks.

Is it possible to align expense reduction and an increase in investments? Yes,
if you separate the timelines. In theory, today’s investments will reduce costs
in the future, in the image of an insurance, where premiums ensure protection
against possible risks.

A Bug Bounty strategy is the perfect answer: In the short term, this investment
enables you to considerably reduce risks, therefore avoiding inflated costs if
there were to be any incidents or cyberattacks. The consequences of these
incidents can be very costly, in terms of company image, organisation,
emergency response, resetting the company’s information system, and so on.
This is especially true for sectors in which information systems are an
essential element of their activity, for example e-commerce businesses or
banks.

Once this principle has been recognised, the next step is to elaborate an
adapted budget for a Bug Bounty, which relies on four different elements:

  • The scope (functional, geographical, applicational, material...)
  • The technologies involved (Open Source, network, proprietary)
  • The duration of the vulnerability research program
  • The degree of urgency of the systems and applications (low, medium,
    high, critical)

Other than these structural elements, it is necessary to take into account two
budgetary items: Firstly, the amount set aside for the purchase of bug hunters
(who are only paid if they discover any flaws), and the subscription to a Bug
Bounty platform, such as Yogosha, which offers services, resources and a
pool of highly efficient bug hunters, who are meticulously selected.

It is possible of course, to attempt to prioritise an internal Bug Bounty
approach. At first the cost may seem to be lower. In reality, it isn’t! First of all,
because of the bias inherent in budget item distribution, which in turn makes it
difficult to consolidate budgets and to have a global vision of real costs. It also
requires you to invest in specific skills and abilities which are not always
available in the Chief Information Officer’s or the Chief Information Security
Officer’s internal teams. Finally, this type of approach demands a lot of time
from the internal teams if they are to cover an entire information system, time
that can be used for other tasks. You would have to manage dozens of
budget lines (salary, infrastructure, material, process adjustment, recruitment,

training...), whereas by using a Bug Bounty platform, you only have to take
into account two lines (the fee for the Bug Hunters and the subscription to the
platform), perhaps three if you decide to increase your own internal team’s
standards thereby generating an additional budget line to take into account.
Unlike the traditional process of paying a fee once the job has been

completed, in a Bug Bounty setting, the payment is made in advance. The
logic behind this approach is justified by the following three points: firstly, the
budget includes a subscription to a Bug Bounty platform, where the access to
the services it provides is only available following payment, similar to a mobile
network operator or a television network subscription, who only allow access if
the fee has been paid. Moreover, for bug hunters to be sufficiently motivated
and effective (which after all is the primary objective...), they must be certain
of receiving payment, and as soon as possible, especially for those for whom
it is a full-time job. The bonuses must also be appealing. Finally, in the Bug
Bounty field, the key to efficiency is reaction speed, each vulnerability that is
not dealt with immediately puts the security of an information system and an
organisation’s resilience in jeopardy. Peace of mind always comes at a price,
which needs to be paid before it’s too late!

###Vous souhaitez vous lancer dans le Bug Bounty, mais vous ne savez pas par où commencer ?

Téléchargez gratuitement la Checklist pour centraliser vos informations et bénéficier des bonnes pratiques de cadrage d'un programme de Bug Bounty.