4 Considerations for a Bug Bounty Program
August 24, 2015
By George Japak, Managing Director, ICSA Labs

I recently read some of the articles about bug bounties and their relative virtues. Some of the comments were thought provoking, controversial and entertaining as they are a departure from comments that are trying to make a marketing statement rather than an avenue for expressing their true feelings on the subject.

As the Managing Director for ICSA Labs, where we have been providing product testing and certification services for more than twenty five years, I thought: “Hey, why not give my two cents on the issue since I have been managing ICSA Labs for the majority of these years.”

Without a doubt, there will always be bugs in software – either commercial or open source – with appliances, devices, etc. and the main issue isn’t whether there are bugs or not but rather the degree of bugs.  The amount of bugs (and the timeliness to quickly fix them) in a company’s hardware or software is what differentiates companies that have good system development life cycle (SDLC) and quality assurance (QA) programs from those that do not.

How a vendor supports its products through the development process and its entire lifecycle is just as important as the functionality and benefits you are buying.  A company’s commitment to having a strong SDLC and QA program is a key ingredient to a successful and long-term relationship with your vendor/partner.

Using testing and certification by a credible, third party organization such as ICSA Labs is one method to give you confidence and assurance that a solution will work as intended.

Another approach gaining favor with some software and platform providers, as well as entities that offer customer-facing portals and interfaces, are bug bounty programs, where individuals (mainly outside the organization) can receive recognition and compensation by the company for reporting bugs.

Here are four considerations you may want to contemplate in implementing a bug bounty program:

  1. Have your house in order and do not rely on a bug bounty program to be a substitute or something to augment what you should already be doing.
  2. Be ready to respond and react appropriately if a bug is discovered.
  3. Be careful of what you ask for, or, at least, know what you are asking for as these types of programs can deliver unexpected results.
  4. Be specific and direct as to how, what, when, where and why you will compensate bug bounty hunters.


Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>

More information about formatting options

This question is for testing whether you are a human visitor to prevent automated spam submissions.
Enter the characters shown in the image.