A few days ago the Rey Juan Carlos University announced that from now on it will have a “Bug Bounty” program, thus becoming the first Spanish university with an initiative in this regard and the fourth in the world after Stanford University, the University of Drexel and the Massachusetts Institute of Technology.
But what is a Bug Bounty Program? A Bug Bounty Program is simply a protocol or bounty agreement for anyone who identifies and reports bugs. They are usually used – every day more – in the field of computer science, software development, and even in the world of cryptocurrencies.
Its growth has been exponential and currently, the vast majority of large technology companies have these programs. The objective is that whoever finds an error or vulnerability in the code reports it through a safe channel, and in return receives a reward instead of selling it to the highest bidder.
I mean, better corsair than a pirate.
And what are they for? Just to be first on a list or do they have any real utility?
They serve and can be very useful, but an institution does not need one for that.
These programs are based on the crowdsourcing work philosophy, which consists of open outsourcing of tasks or functions previously performed by employees, leaving them in the hands of a group of people or a community (the hacker in our case. The idea is that a heterogeneous group will find more and better solutions, rewarding only the fittest.
In this way, it is clear that it is a very valuable source for obtaining information about errors and vulnerabilities and it even reduces the risk of a cyberattack, both due to the communication of errors and the rewards. For example, even the Pentagon has its own Bug Bounty program.
Now, we must bear in mind that we do not always need to expose ourselves to this type of “security audit” and that if we do try we must take certain precautions to ensure that it is useful and legal for our organization, both for us and “aspiring to be rewarded. ” So, we are going to give a few brief strokes in case someone wants to try it or be the fifth university on the list.
First, you must define the budget you have and, where appropriate, limit the number of rewards or prizes.
Second, we must establish categories of errors according to what they can affect our system and indicate if everyone is entitled to a reward or only some.
If we do not establish those first guidelines, we may have to close the program after a few hours due to the inability to manage and pay for all the reports that arrive.
This brings us to the third point: we must have a team with the capacity to evaluate the notifications that come to us and to correct errors. Without it, it will be of little use to us.
Fourth, it is necessary to establish a secure channel of communication, from the verification of incidents, the elimination of duplicate reports, the confidentiality of the communications, or the processing of the reward. For this, there are several platforms that can help, requiring a certain commission for the management, but that can be a good option if we want to save part of the work.
Finally, I think it is imperative that both parties are honest. Unfortunately, many of these programs have failed because someone has not kept their end of the bargain.
Thus, one must believe that these programs improve and will improve the general security of the network, but it is necessary that if vulnerabilities are detected, they are not misused and that if rewards are promised they are paid.