VIDEO: Alex Rice, co-founder and CTO of HackerOne, discusses the benefits of bug bounty programs and why organizations can never buy every software bug.
In recent years, it has become increasingly obvious that bug bounty programs can be effective tools to help organizations secure application code. At one time, bug bounty programs were the realm of large organizations only, but that has changed in the last few years, thanks to the emergence of bug bounty platforms, such as HackerOne and its rival Bugcrowd.
In a video interview with eWEEK, HackerOne co-founder and CTO Alex Rice explains where the roots of his company come from and how bug bounty programs can work to help improve security for us all.
“HackerOne is a technology platform that helps people that are interested in working with hackers, and [helps] the security community put a lot more structure and process around how they engage with that community,” Rice told eWEEK.
From a financial perspective, bug bounty programs typically involve an organization paying a reward or a bounty to a security researcher for responsibly disclosing a vulnerability. Rice explained that when an organization chooses to reward a researcher, a commission is paid to HackerOne. If there is ever a time when bugs are no longer found in software, Rice noted that HackerOne would be out of business, but he doesn’t expect that to happen any time soon.
Rice emphasized that while HackerOne has a platform that can enable bug bounties, it’s ultimately up to his customers to decide what they want to reward and what type of bugs are actually important.
“At the end of the day, you get what you pay for,” Rice said. “You decide what you’re willing to buy as a customer, and if you only get value from fully working exploits, then that’s the bar you set for participation in your program.”
For Rice, simply finding and reporting potential security exploits is not the end game for full application security. He explained that for his customers, which include large vendors like Adobe and Twitter, HackerOne is the front end of vulnerability reporting. The front end then needs to tie into the customer back-ends for vulnerability management.
“The [bug] reporting is just the beginning,” Rice said.
Rice explained that it’s important for organizations to handle security vulnerability reports properly, beyond just the initial report of a specific bug.
“The real value you get out of these programs is the root cause analysis of why a given bug was caused in the first place,” Rice said. “You can’t just buy every vulnerability that is out there; you have to start making systematic changes to ensure that bugs don’t get introduced in the first place.”
Watch the full video interview with Alex Rice below:
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.