Bug Bounties: Overcoming Fears, Finding Solutions

As financial institutions (FIs) increasingly focus on digital channels, industry leaders are coming to accept that any web or mobile application, piece infrastructure or network, or API open to the Internet will be scanned and pulled apart. More often than not, this dismantling is done voluntarily by independent security researchers who will expect the FI to have a mechanism by which they can report urgent issues they uncover, see software weaknesses fixed, and be rewarded for valid reports. 

Indeed, retail banks, payment networks, and other FIs are coming to grips with the idea of outsiders poking at their publicly exposed systems. They’re dipping their toes in the water. They’re starting to embrace vulnerability disclosure as a strategy for lessening the risk that accompanies unknown or overlooked hardware and software vulnerabilities. However, many FIs still don’t see the upside of public bug bounty or vulnerability rewards programs (VRP). They’re fearful that rewarding vulnerability reports may result in unauthorized disclosure or regulatory consequences. This report examines the interest, trust, and doubts FIs have in bug bounty programs (initiatives that incentive vulnerability disclosure) and, more generally, vulnerability disclosure.

Key questions discussed in this report:

• What types of security skills and capabilities are FIs most interested in adding to their internal, security teams in the coming year?
• What types of crowd-sourced security models are FIs most comfortable with – if any?
• What are the attitudes of security professionals within FIs towards private and public bug bounty programs?
• What concerns do FI security leaders have when it comes to such security controls?

Companies Mentioned: Acorns Grow Inc., Bank of America, Card.com, Circle, Citibank, Coinbase, Dash Digital Cash, ING, JPMorgan Chase, LendingClub, Mastercard, PayPal, Simple, USAA, Western Union