Bug Bounties Aren't Silver Bullet for Better Security: Report

Many organizations may find they’re better off hiring pen testers and in-house security researchers directly than running bug bounty programs, according to new MIT research. The New Solutions for Cybersecurity paper features a surprising analysis of bug bounty programs in the chapter, Fixing a Hole: The Labor Market for Bugs. It studied 61 HackerOne bounty programs over 23 months — including those run for Twitter, Coinbase, Square and other big names — and one Facebook program over 45 months. It claimed that, contrary to industry hype, organizations running these programs don’t benefit from a large pool of white hats probing their products. Instead, an elite few produce the biggest volume and highest quality of bug reports across multiple products, earning the biggest slice of available rewards. It’s also claimed that even these elite “top 1%” ethical hackers can’t make a decent wage by Western standards.