Bug Bounties: Overcoming Fears, Finding Solutions
- Date:May 02, 2018
- Author(s):
- Sean Sposito
- Test
- Report Details: 23 pages, 15 graphics
- Research Topic(s):
- Cybersecurity
- Fraud & Security
- PAID CONTENT
Overview
As financial institutions (FIs) increasingly focus on digital channels, industry leaders are coming to accept that any web or mobile application, piece infrastructure or network, or API open to the Internet will be scanned and pulled apart. More often than not, this dismantling is done voluntarily by independent security researchers who will expect the FI to have a mechanism by which they can report urgent issues they uncover, see software weaknesses fixed, and be rewarded for valid reports.
Indeed, retail banks, payment networks, and other FIs are coming to grips with the idea of outsiders poking at their publicly exposed systems. They’re dipping their toes in the water. They’re starting to embrace vulnerability disclosure as a strategy for lessening the risk that accompanies unknown or overlooked hardware and software vulnerabilities. However, many FIs still don’t see the upside of public bug bounty or vulnerability rewards programs (VRP). They’re fearful that rewarding vulnerability reports may result in unauthorized disclosure or regulatory consequences. This report examines the interest, trust, and doubts FIs have in bug bounty programs (initiatives that incentive vulnerability disclosure) and, more generally, vulnerability disclosure.
Key questions discussed in this report:
- What types of security skills and capabilities are FIs most interested in adding to their internal, security teams in the coming year?
- What types of crowd-sourced security models are FIs most comfortable with – if any?
- What are the attitudes of security professionals within FIs towards private and public bug bounty programs?
- What concerns do FI security leaders have when it comes to such security controls?
Companies Mentioned: Acorns Grow Inc., Bank of America, Card.com, Circle, Citibank, Coinbase, Dash Digital Cash, ING, JPMorgan Chase, LendingClub, Mastercard, PayPal, Simple, USAA, Western Union
Methodology
Learn More About This Report & Javelin
Related content
Threat Intel Odyssey: Mapping the Convergence of Social Cyber Risks
Successful sharing of threat intelligence must move beyond the borders of traditional financial services and governments to include social media, a breeding ground for cybercrime a...
2024 Cyber Trust in Banking Scorecard
In this scorecard, Javelin evaluates leading financial institutions’ level of cyber trust based on key components: privacy, cybersecurity, education and resolution support. Shiftin...
Cyber Trust in Banking: Privacy Path to Maturity
For consumers, privacy is the fundamental determinant of cyber trust. The degree to which financial institutions protect consumer privacy and enhance authentication and identity ve...
Make informed decisions in a digital financial world