Cloudflare on Tuesday added a public bug bounty program, the vendor’s first such initiative since the cloud security company started its bug bounty program in 2014.
In a Feb. 1 blog post, the company said the first iteration of its bug bounty program was pure vulnerability disclosure without cash bounties. In 2018, Cloudflare added a private bounty program, but now anyone interested can report bugs related to Cloudflare products on its public site hosted on HackerOne’s platform.
Security leaders sense that it’s time to dip their toe into a bug bounty program when they’re sure there’s an internal commitment to run vulnerability discovery all the way to remediation, said Tim Wade, technical director of the CTO Team at Vectra. Wade said if there are known vulnerabilities in software or systems that continually fail to get patched, that’s a clue that there’s internal alignment that still needs to occur around the realities of modern software risk.
“The most important factors to consider are based on cost and risk,” Wade said. “Will pursuing a bug bounty program be cost effective relative to more traditional alternatives, like a penetration test? Will we be able to appreciably improve management of our top risks? If, upon consideration, an organization realizes they have a vulnerability remediation problem, not discovery problem, that’s a good indication they have some additional maturity between the present and future participation in a bounty program.”
Bug bounties have their merit in the cybersecurity field, but they still fall into the category of focusing efforts post-deployment and being reactive, said Archie Agarwal, founder and CEO at ThreatModeler.
“I would rather that the legitimate security researchers always find the vulnerabilities before the criminals. However, the industry focus must shift towards proactive continuous security in the design and build phase,” Agarwal said.