Ask HN: Are bug bounties leading to bad outcomes?

8 points by eterm ↗ HN
More frequently I see bug bounty programs which list whole swathes of issues as "out of scope", even including things such as CSRF (not just logout CSRF (which is mostly harmless) but all CSRF).

Also, you see issues which are marked "duplicate" where the original was from months prior. This suggests that reports, even when accepted, are left unfixed.

Meanwhile a budget for bug bounties will I suspect reduce the budget for other methods such as traditional penetration testing which could lead to a cheapening effect on that sector too.

Are bug bounties leading to a false sense of security as participation widens, or do you consider them still a massive improvement over what came before?

2 comments

[ 3.7 ms ] story [ 18.6 ms ] thread
They're just a tool. You can use them wisely or you can use them poorly. They can be an incredibly useful additional set of eyes if you've already done the basics, or you could get flooded with piles of issues that anyone could have found.

I used to work in sec consulting a decade ago and it was a shitshow, clients wouldn't have credentials ready when you were meant to start testing (but they'd still get billed), we were told to scope pentests to IPs with no listening services, management would downgrade risks because we couldn't identify a new high risk issue since we'd already tested the same application last year and the previous consultants hadn't found the problem, we'd get asked to review 10m LoC applications in 5 days based on just the source code, clients would ignore our recommendations and try to convince us that their dumb ideas were secure because they were easier to implement, despite being completely broken, I once had to listen to a client tell me that email didn't use TCP but rather it "just sent it", etc.

Our CEO once gave a presentation to the entire company where he said that the reason our clients liked us wasn't that we were good, which he said was entirely irrelevant, but that we didn't call them on their bullshit.

Not to say that every engagement was a waste of everyone's time and money, but you can mismanage a pentest just as easily as you mismanage a bug bounty.

Bug bounties are fine, but the problem is that I think a lot of companies are unprepared for the amount of time and resources that they require. I think that it's more cost effective to do pentesting at first