Bug Bounty budget: an expense? No, an investment!

According to a study carried out by the auditing firm Deloitte, purchasing managers have pinpointed two priorities for 2020: expense reduction (70%) and risk management (50%). However this second priority often requires further investments in order to increase companies’ resilience.


The Bug Bounty approach leads to a reduction in possible risks, a priority also cited by general directors across multiple sectors, demonstrated by the 2020 report from the World Economic Forum regarding global risks and the anticipated increase in cyberattacks.


Is it possible to align expense reduction and an increase in investments?


Yes, if you separate the timelines. In theory, today’s investments will reduce costs in the future, in the image of an insurance, where premiums ensure protection against possible risks. A Bug Bounty strategy is the perfect answer: In the short term, this investment enables you to considerably reduce risks, therefore avoiding inflated costs if there were to be any incidents or cyberattacks.


The consequences of these incidents can be very costly, in terms of company image, organisation, emergency response, resetting the company’s information system, and so on. This is especially true for sectors in which information systems are an essential element of their activity, for example e-commerce businesses or banks.


Once this principle has been recognized, the next step is to elaborate an adapted budget for a Bug Bounty, which relies on four different elements:


  1. The scope (functional, geographical, applicational, material…),
  2. The technologies involved (Open Source, network, proprietary),
  3. The duration of the vulnerability research program,
  4. The degree of urgency of the systems and applications (low, medium,
  5. high, critical).


Other than these structural elements, it is necessary to take into account two budgetary items: Firstly, the amount set aside for the purchase of bug hunters (who are only paid if they discover any flaws), and the subscription to a Bug Bounty platform, such as Yogosha, which offers services, resources and a pool of highly efficient bug hunters, who are meticulously selected.


It is possible of course, to attempt to prioritize an internal Bug Bounty approach. At first the cost may seem to be lower.


In reality, it isn’t !


First of all, because of the bias inherent in budget item distribution, which in turn makes it difficult to consolidate budgets and to have a global vision of real costs. It also requires you to invest in specific skills and abilities which are not always available in the Chief Information Officer’s or the Chief Information Security Officer’s internal teams.

Finally, this type of approach demands a lot of time from the internal teams if they are to cover an entire information system, time that can be used for other tasks. You would have to manage dozens of budget lines (salary, infrastructure, material, process adjustment, recruitment, training…), whereas by using a Bug Bounty platform, you only have to take into account two lines (the fee for the Bug Hunters and the subscription to the platform), perhaps three if you decide to increase your own internal team’s standards thereby generating an additional budget line to take into account.


Unlike the traditional process of paying a fee once the job has been completed, in a Bug Bounty setting, the payment is made in advance.


The logic behind this approach is justified by the following three points: firstly, the budget includes a subscription to a Bug Bounty platform, where the access to the services it provides is only available following payment, similar to a mobile network operator or a television network subscription, who only allow access if the fee has been paid.

Moreover, for bug hunters to be sufficiently motivated and effective (which after all is the primary objective…), they must be certain of receiving payment, and as soon as possible, especially for those for whom it is a full-time job. The bonuses must also be appealing.

Finally, in the Bug Bounty field, the key to efficiency is reaction speed, each vulnerability that is not dealt with immediately puts the security of an information system and an organisation’s resilience in jeopardy. Peace of mind always comes at a price, which needs to be paid before it’s too late!