Bug Bounties: Overcoming Fears, Finding Solutions
- Date:May 02, 2018
- Author(s):
- Sean Sposito
- Test
- Report Details: 23 pages, 15 graphics
- Research Topic(s):
- Cybersecurity
- Fraud & Security
- PAID CONTENT
Overview
As financial institutions (FIs) increasingly focus on digital channels, industry leaders are coming to accept that any web or mobile application, piece infrastructure or network, or API open to the Internet will be scanned and pulled apart. More often than not, this dismantling is done voluntarily by independent security researchers who will expect the FI to have a mechanism by which they can report urgent issues they uncover, see software weaknesses fixed, and be rewarded for valid reports.
Indeed, retail banks, payment networks, and other FIs are coming to grips with the idea of outsiders poking at their publicly exposed systems. They’re dipping their toes in the water. They’re starting to embrace vulnerability disclosure as a strategy for lessening the risk that accompanies unknown or overlooked hardware and software vulnerabilities. However, many FIs still don’t see the upside of public bug bounty or vulnerability rewards programs (VRP). They’re fearful that rewarding vulnerability reports may result in unauthorized disclosure or regulatory consequences. This report examines the interest, trust, and doubts FIs have in bug bounty programs (initiatives that incentive vulnerability disclosure) and, more generally, vulnerability disclosure.
Key questions discussed in this report:
- What types of security skills and capabilities are FIs most interested in adding to their internal, security teams in the coming year?
- What types of crowd-sourced security models are FIs most comfortable with – if any?
- What are the attitudes of security professionals within FIs towards private and public bug bounty programs?
- What concerns do FI security leaders have when it comes to such security controls?
Companies Mentioned: Acorns Grow Inc., Bank of America, Card.com, Circle, Citibank, Coinbase, Dash Digital Cash, ING, JPMorgan Chase, LendingClub, Mastercard, PayPal, Simple, USAA, Western Union
Methodology
Learn More About This Report & Javelin
Related content
Privacy and KYC Requirements: Navigating the Labyrinth
Data privacy and security are hot-button issues for consumers and regulators. FIs must balance consumer privacy with the need to collect information for regulatory compliance. Furt...
Customer Contact Centers: Heroes in Cybercrime Remediation, Fraud Prevention
Criminals increasingly use cyberattacks and scams to target consumers, and FI call centers are often relied upon for victim assistance. The key will be FI customer-oriented contact...
IoT Devices Create Privacy Nightmares for Banks, Small Businesses
IoT devices allow more convenient customer and business interactions, but the privacy and security costs can be too high, especially for financial institutions and small businesses...
Make informed decisions in a digital financial world