What is a Bug Bounty Program?

Fitur 2020: Spanish tourism faces the transformation of its model

Reconversion of the product and the destination. Saturated cities and mature destinations look for alternatives to their success. Sustainability and digitization are the two main challenges that will mark the future of the sector With virtual or augmented reality glasses, and without...

Strategic Empathy

Have you ever looked at yourself in the mirror and said to yourself "I deserve much more than what I have achieved"? I understand you. It happened to me. Surely you are a person with great aspirations and you will be with...

Without a compass, but with a map

No one has the compass that points the way back to pre-pandemic income and employment levels No one has the compass that points the way back to pre-pandemic income and employment levels. Nobody. And be wary of whoever claims to have it....

Data protection in the event of hard Brexit

The last date for the United Kingdom to leave the European Community was set for January 31, 2020. In any case, if it is going to be the final date remains to be seen. As we already know, Brexit will generate serious...

A few days ago the Rey Juan Carlos University announced that from now on it will have a “Bug Bounty” program, thus becoming the first Spanish university with an initiative in this regard and the fourth in the world after Stanford University, the University of Drexel and the Massachusetts Institute of Technology.

 

But what is a Bug Bounty Program? A Bug Bounty Program is simply a protocol or bounty agreement for anyone who identifies and reports bugs. They are usually used – every day more – in the field of computer science, software development, and even in the world of cryptocurrencies.

 

Its growth has been exponential and currently, the vast majority of large technology companies have these programs. The objective is that whoever finds an error or vulnerability in the code reports it through a safe channel, and in return receives a reward instead of selling it to the highest bidder.

 

I mean, better corsair than a pirate.

 

And what are they for? Just to be first on a list or do they have any real utility?

 

They serve and can be very useful, but an institution does not need one for that.

 

These programs are based on the crowdsourcing work philosophy, which consists of open outsourcing of tasks or functions previously performed by employees, leaving them in the hands of a group of people or a community (the hacker in our case. The idea is that a heterogeneous group will find more and better solutions, rewarding only the fittest.

 

In this way, it is clear that it is a very valuable source for obtaining information about errors and vulnerabilities and it even reduces the risk of a cyberattack, both due to the communication of errors and the rewards. For example, even the Pentagon has its own Bug Bounty program.

 

Now, we must bear in mind that we do not always need to expose ourselves to this type of “security audit” and that if we do try we must take certain precautions to ensure that it is useful and legal for our organization, both for us and “aspiring to be rewarded. ” So, we are going to give a few brief strokes in case someone wants to try it or be the fifth university on the list.

 

First, you must define the budget you have and, where appropriate, limit the number of rewards or prizes.

 

Second, we must establish categories of errors according to what they can affect our system and indicate if everyone is entitled to a reward or only some.

 

If we do not establish those first guidelines, we may have to close the program after a few hours due to the inability to manage and pay for all the reports that arrive.

 

This brings us to the third point: we must have a team with the capacity to evaluate the notifications that come to us and to correct errors. Without it, it will be of little use to us.

 

Fourth, it is necessary to establish a secure channel of communication, from the verification of incidents, the elimination of duplicate reports, the confidentiality of the communications, or the processing of the reward. For this, there are several platforms that can help, requiring a certain commission for the management, but that can be a good option if we want to save part of the work.

 

Finally, I think it is imperative that both parties are honest. Unfortunately, many of these programs have failed because someone has not kept their end of the bargain.

 

Thus, one must believe that these programs improve and will improve the general security of the network, but it is necessary that if vulnerabilities are detected, they are not misused and that if rewards are promised they are paid.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Popular

Fitur 2020: Spanish tourism faces the transformation of its model

Reconversion of the product and the destination. Saturated cities and mature destinations look for alternatives to their success. Sustainability and digitization are the two main challenges that will mark the future of the sector With virtual or augmented reality glasses, and without...

Strategic Empathy

Have you ever looked at yourself in the mirror and said to yourself "I deserve much more than what I have achieved"? I understand you. It happened to me. Surely you are a person with great aspirations and you will be with...

Without a compass, but with a map

No one has the compass that points the way back to pre-pandemic income and employment levels No one has the compass that points the way back to pre-pandemic income and employment levels. Nobody. And be wary of whoever claims to have it....

Data protection in the event of hard Brexit

The last date for the United Kingdom to leave the European Community was set for January 31, 2020. In any case, if it is going to be the final date remains to be seen. As we already know, Brexit will generate serious...

Hotels, a business for sale

There is still a significant gap between what buyers want to pay and what sellers want to receive The Atalaya fund, created by Andbank to invest in the Spanish hotel sector, has 60 purchase operations on the radar. Of these, between 15...

More from author

Fitur 2020: Spanish tourism faces the transformation of its model

Reconversion of the product and the destination. Saturated cities and mature destinations look for alternatives to their success. Sustainability and digitization are the two...

Strategic Empathy

Have you ever looked at yourself in the mirror and said to yourself "I deserve much more than what I have achieved"? I understand...

Without a compass, but with a map

No one has the compass that points the way back to pre-pandemic income and employment levels No one has the compass that points the way...

Data protection in the event of hard Brexit

The last date for the United Kingdom to leave the European Community was set for January 31, 2020. In any case, if it is...