Gurkirat Singh, a software graphics engineer with an independent security research team, has a similar vision: “The majority of the bug bounty programs today are geared toward web security and it is going to stay that way at least for the next few years. But as we see more and more IoT devices come into the hands of the consumers, a stronger switch from website to mobile app/network security will be required and bounty programs will have to cater to those needs,” Singh told SC Media.
De Ceukelaire predicts that within a decade, IoT device manufacturers will begin to include bug bounty policies in their instruction manuals. “It'll become a new standard,” he says. “Sure, there'll always be exceptions, but having a bug bounty program will be considered a pro when it comes to product comparison.”
Renwei Ge, senior director, product security at Qualcomm, a semiconductor and telecom equipment company, agrees that having a bug bounty program in place could have a bottom-line impact on sales.
SC Media Q&A with Sean Malia
You'll have to forgive Sean Melia for being only the number-two-ranked researcher in the 100,000-member HackerOne bug bounty community. After all, he splits his time between hunting for vulnerabilities and performing his day job as a pentester for Gotham Digital Science.
“Consumers are becoming more aware of the security of the devices they depend on every day, be it a smartphone, home router or connected home camera,” says Ge, whose company uses the HackerOne bug bounty platform to crowdsource its vulnerability testing. “In such a connected world with so many products to choose from, security is becoming one of the leading differentiators when it comes to the purchase decision.”
Bug bounties even appear to be impacting how business is conducted at its highest levels. “We're talking to more and more CISOs who are reporting their bug bounty findings to the board,” Casey Ellis, founder and CEO of Bugcrowd, says. "It won't be long before this is an expectation. And with cyber insurance seeing more momentum…it's only a matter of time before risk assessment becomes mandatory for businesses at all levels: fundraising, during M&A, and prior to filing S-1. Bug bounties will be essential to providing this data.”
Still, not every industry is necessarily ready to lay out the welcome mat for hackers. For instance, says Singh, “Financial and health institutions don't want researchers tinkering with their system because it is far more than a nuisance for them.”
Singh adds that internet-connected infrastructure has spread to such industries as transportation, coal, agriculture, health and manufacturing, “but you won't see a bug bounty program for these any time soon due to product accessibility and risk factor.”
Therefore, Singh explains, “only the companies that are willing to take some risk, have their core focus on web security, and [whose] product is easily accessible by others will be the ones shaping bug bounty programs in the future.”