Bug bounties fail to deliver long-lasting security benefits or build a modern cybersecurity workforce pipeline, Luta Security founder Katie Moussouris argued during this week’s Black Hat USA 2022 conference.

Moussouris, who helped launch bug bounty programs at Microsoft and the U.S. Department of Defense, said organizations need to instead build and support cybersecurity maturity.

“You actually have to be deliberate about building maturity and sustaining that maturity over time,” Moussouris said. “Bug bounties are fantastic, but they can't be used as Botox, covering up your internal security flaws."

Building this maturity is needed as many organizations lack the internal resources to actually fix bugs found as part of a bounty program.

“You can tell an organization all you want about their security vulnerabilities, but if they don't have the capacity to fix them and fix them consistently, they will always be falling behind and other priorities will always take more precedence than the security priorities,” Moussouris said. “So what we really need to do is organize around the evolving maturity of each side of this marketplace and think of it in terms of system dynamics.”

Moussouris also cautioned firms on relying too much on bug discovery using artificial intelligence (AI) and machine learning (ML).

“If you're looking to AI and machine learning to help you through some of these process problems, look no further than the human being who you actually need to train to do this work,” she explained. 

Moussouris also pointed out that organizations should avoid asking their own developers to handle all the bug hunting, fixing, and program management. 

“Because what you will find is that at about the 18-month or two-year mark of running a bug bounty program internally you will lose key people and the program will collapse under its own weight,” Moussouris said. “So just understand that fixing bugs themselves is treating the symptoms of your underlying security problems, fixing your processes, the cure, and anticipating the places where your process is going to need help.”

She also cautioned against the use of non-disclosure agreement (NDA).

“On top of a vulnerability disclosure process, why would I ever sign an NDA for the privilege of telling you what's wrong with you? That's insane,” Moussouris said. “I don't accept the disclosure terms that would require me to keep silent if they don't fix it.”

How should small- or medium-sized businesses start their own bug bounty programs?

“Bug bounty is a natural extension of your vulnerability disclosure program,” Katie Noble, director of Intel's Product Security Incident Response Team and bug bounty program, said during an Intel virtual event tied to Black Hat. “If you don't have a well-formulated vulnerability disclosure program, then bug bounty becomes very, very difficult.”

“The biggest advice that I can give folks is don't try to do it on your own,” she added, stating that there are organizations and platforms that offer bug bounty programs.

There are also bug bounty managers in the community who can share information on the pros and cons and best practices. 

“Some of the big platforms will help you set up a bug bounty program and they'll tell you whether it's right for you,” Noble said. “They can help you decide as a vendor whether a bug bounty program is right for you and how to implement it into your network and how to implement it into your processes, so use those tools that are available for you.”