How Bug Bounty Programs Can Help Combat Ransomware Attacks

The U.S. is now the ransomware capital of the world. 

Enterprises and organizations in the country are the targets of 50% of global ransomware attacks, according to a recent Zscaler ThreatLabz report, with manufacturing, technology and healthcare bearing the brunt. It gets worse: While ransomware attacks have climbed 146% in the past year, cybersecurity budget growth has shrunk to the lowest rate in five years.

In that ominous situation, it may take a hacker to stop a hacker. Enter bug bounty programs, or ethical hacking initiatives that allow researchers to find and report vulnerabilities before they can be exploited.

The most effective way to start is by combining a vulnerability disclosure program with a private bug bounty program, Crystal Hazen, senior bug bounty program manager at HackerOne, told CIO Upside. 

A vulnerability disclosure program creates a “reactive net,” said Hazen, offering a “structured, always-on channel for any researcher to safely report vulnerabilities.” Meanwhile, a private bounty program invites a select group of vetted researchers to test your highest-priority assets, she added. 

This dual-track approach enables organizations to scale operations in a controlled way by building coverage, fine-tuning internal triage and learning how to operationalize findings before going public, Hazen explained. 

• The foundation of successful bug bounty programs includes a clear scope and clear rules of engagement for ethical hackers, fast and respectful communication with researchers, and tight coordination between security, engineering and legal teams, Hazen said. 
• Through these dual programs, companies can access highly skilled global researchers and at far lower costs than conventional cybersecurity vendors. 
• Ethical hackers know the ins and outs of the cybercriminal underworld, threat actors’ playbooks and techniques, and how they continually evolve their attacks. The ability to think like a hacker allows them to detect and patch vulnerabilities or bugs before a threat actor exploits them.

Embraced by companies from Apple to OpenAI along with a variety of big, medium, and small businesses in other industries, bug bounty programs have come a long way since their inception. And HackerOne is just one company that offers bug bounty services, with competitors including BugCrowd, YesWeHack, and Synack.

“While you can definitely hire a consultant to help you set up a (bug bounty) program, there are also entire companies dedicated to running a bug bounty program for you,” Tim Erlin, security strategist at Wallarm, told CIO Upside. “Setting one up from scratch by yourself isn’t necessary.” 

These programs are customizable to your enterprise’s budgetary needs, allowing each company to adjust the price and scope. “Since organizations can set the bounties themselves, they have control over the economics to some degree,” said Erlin. 

When pitching boards and executives for buy-in, CISOs and CIOs should present Return on Mitigation (RoM) bottom lines.

Though return on investment can be tricky to track in cybersecurity, measuring “return on mitigation,” or the value of preventing losses versus the cost of security efforts, can help provide context for the value these programs can bring, said Hazen. 

HackerOne’s bug bounty program calculated a 700% return on mitigation, “meaning every dollar spent delivered $7 in estimated value,” Hazen said. “Traditional (return on investment) calculations fall short when measuring cybersecurity impact.” 

“Bug bounties focus researchers on what matters most,” Hazen said.