Use of public bug bounty programs (aka Responsible Disclosure Program)
Any thoughts on the use of public bug bounty programs to utilize independent security researchers to improve the security of an org's product/service?
Does this program benefit the organization more than any potential pitfalls such as possible disclosure that could cause reputational harm to the org?
I see that a lot of companies are using this now a days. It seems to benefit independent researchers with 'kudos' points and well as monetary rewards in addition to gaining experience, and to the company a lot more security researchers contributing to security testing mediated by a third party.
I am looking for experience from the community and the candid views.
Bug bounties show a commitment to product improvement and protecting the customer. They are PR money well spent. There is no way that a company can be expected to be the first to discover every flaw, but I do expect them to fix the flaw. When a vulnerability is disclosed, I have a much greater respect for the company if an immediate and permanent remediation is available. If I have to wait or implement temporary mitigating factors, it affects their reputation.
Responsible disclosure programs are also good, although I feel they out to have a bit more compassion. For example, there have been incidences where the embargo expires just shortly before the company's routine maintenance cycle, which causes pain for all involved. Much better would be to disclose a few days after the routine maintenance had been released because it puts the explanation point on the "patch early; patch often!" mantra.
Thank you for your prompt and thoughtful reply. Key lesson - if the company is committed to the program, then fixing the issues found timely is the way to benefit from it as well as respecting those who found the issues.
I would think that a company should have reasonably good security posture. Else the use of public bug bounty could be like poking the beehive?