3 Things to be aware of to design the best Bug Bounty program

How can game theory be used to maximise outcome from crowdsourcing?

How to set-up and incentivise Bug Bounty program to minimise risk and maximise outcomes?

A bug is a software vulnerability that is an unintended consequence of design choices or coding and makes the system vulnerable to a cyber attack. Software companies and other organisations have come up with incentives to fix bugs in their software once they are discovered. This incentive program is called a bug bounty program.

Netscape was the first company to introduce Bug Bounty program in 1995 in which they offered $500 for each bug, and this remained consistent for 15 years. Google launched Bug Bounty against chromium at $1337 and raised it to $3133.7. The most significant validation for the Bug Bounty program came when US Defence Department starting the “See Something Say Something” and “Hack the Army” program in which researchers and hackers go through public-facing army sites for software flaws and compete for and are rewarded with thousands of dollars in bounty rewards as opposed to a felony charge.

The Game theory is the study of mathematical models that describe the behaviour of logical but selfish players interacting in a group. A game in this context denotes a situation in which the players (participants) each have a set of possible choices in terms of actions they can perform and in this game the outcome for each player is dependent on the decisions made by other players.

In this above game, Nash Equilibrium describes the state in which everyone succeeds in achieving the best possible outcome for themselves based on what they perceive what they think the other people in the group do. Nash equilibrium state is the state in which every member of the group is doing as well as they possibly can.

Bug Bounty programs aim to achieve the following objectives:

1. To get early sight of vulnerabilities that would eventually be identified anyway as we have no shortage of internet users trying to crack and exploit any system they can access.

2. To have additional vulnerabilities identified through further testing, and hopefully disclosed responsibly.

So in summary, if Mr Donald Rumsfeld were to describe Bug Bounty, he would have described it as a mechanism to move some of the “Unknown Unknowns” into the “Known Knowns” or at least “Known Unknowns” category. The assumption here being enterprises can manage “Known Unknowns” and “Known Knowns” better than “Unknown Unknowns”.

The question which gets asked often is in a crowdsourcing context like bug bounty is how can the incentive for offensive testing be optimised versus defensive testing (i.e. penetration testing) to ensure that defensive testers are still incentivised to identify vulnerabilities during defensive testing while providing an adequate incentive for external testers and ensuring the bug bounty program is attractive enough to be effective.

The pricing strategy which ensures the balance between the disclosure of vulnerabilities identified through a bug bounty program while maximising the effectiveness of defensive testing. This challenge can be equated to the ‘Prisoner’s Dilemma’ often used to explain Nash Equilibrium. In the context of the prisoner’s dilemma, Nash equilibrium is the state in which the economically rational prisoners will not cooperate, and both prisoners will accept a suboptimal outcome.

Game Theory applied to design the Bug Bounty Program.

This context can be applied to any crowdsourcing or Bug Bounty initiative. In crowdsourcing or bug bounty context, there are multiple participants. Still, they can be broken down into two categories, i.e. the internal testing teams are called defensive testers and the testers participating in the bug bounty program are called offensive testers. In this set-up, each tester only knows the vulnerabilities they have identified, and they don’t know who else is testing, or what those other testers have discovered and the first one to report the bug is rewarded with an appropriate incentive. So the aim is to achieve an equilibrium scenario in which the defensive testers do their best to identify the bug, and there is sufficient incentive for the offensive testers to still try and find bugs. This premise can be depicted using the prisoner’s dilemma matrix as in the picture below.

The outcome is to ensure, economically rational (selfish) testers will disclose the vulnerabilities they find, as quickly as possible.

Thus, Bug Bounty program can be considered a “Simultaneous Imperfect Game” within which both players make their moves near simultaneously as opposed to sequentially and have imperfect information (i.e. players’) preferences are interdependent on the information of others. So the factors to be kept in mind while designing the bug bounty program are:-

Hopefully, this article provides you with a framework for successfully setting up a Bug Bounty program within your organisation. These principles can be utilised in other crowdsourcing scenarios as well.