Sign in / up

back to article Fatigue fears over bug bounty programs

Bug bounty fatigue means that bounty hunters are only picking up the easy-to-find flaws while leaving more difficult-to-tease-out vulnerabilities undiscovered, according to a security testing organization. High-Tech Bridge said its mix of automated scanning and manual inspection is unearthing problems at organizations that …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. tiggity Silver badge

    Statement of the obvious

    The easy / fast to find bugs are way more likely to be found than the hard to discover bugs, zero surprise there.

    It's all just PR puffery saying our company will find some currently missed bugs.

    1 0 Reply
    1. You aint sin me, roit
      Reply Icon

      Advertisement of the obvious

      Quotes from two security testing companies saying that testing is best done by security testing companies...

      1 0 Reply
  2. Charlie Clark Silver badge

    It's not about the money

    People who are motivated by the money will get more by selling exploits to criminals.

    Bounty programmes have four functions: show recognition for the work involved; potentially improve any automated systems; act as cheap and effective recruitment programmes; PR to the rest of the world showing that they care about security.

    0 0 Reply
  3. Cuddles

    No, really?

    It's almost as though QA and security are things that should be paid jobs within a company rather than simply outsourced to hobbyists. Sure, you can get some benefit from asking nicely for people to tell you about issues they've found and showing appreciation when they do so, but it should be obvious that that can only ever be in addition to trying to do it properly yourself as well.

    0 0 Reply
  4. Anonymous Coward
    Anonymous Coward

    former bugcrowd junky here

    Yes, I actually burned out on bug bounties... I did it as a hobby for about 2-3 years and got into the top 10 at bugcrowd, but my day job was pentesting, and then the bounties would sometimes start at odd hours, and you knew if you were coming late to the party your chances of finding bugs diminished. The few times I got big payouts (exceeding 4K$) was when I was at the starting block with everyone else.

    Then of course, it's also frustrating hunting for 6 hours and finding nothing... when if you pentest, you get paid regardless of whether you find bugs or not!

    0 0 Reply
  5. Gordon Pryra

    Sounds like a Synack advert to me

    "Kaplan argues that Synack’s man-led, machine-supported approach offers a way to more systematically search for flaws."

    Report about how crap one approach is, followed by a nice cheap system that gets over those issuses.

    Yawn

    1 0 Reply
    1. Charlie Clark Silver badge
      Reply Icon

      Re: Sounds like a Synack advert to me

      Yes, it is a bit of a blatant PR for the two companies but I don't mind it that much when you think of some of the shit that gets forced down our throat. Companies should be doing more security evaluations and pentesting with external partners.

      0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon