7 min Security

Bug bounty in practice: the final layer of security

Bug bounty in practice: the final layer of security

What does a bug bounty program look like, and what does it deliver? We talk to Visma about its usefulness for security professionals and the ultimate benefit for the user of the software.

“With the bug bounty program, we have extra eyes looking at our products,” explains Chief Information Security Officer Cindy Wubben at Visma. These are the eyes of outside contributors to make software more secure. These ethical hackers are encouraged to find and report vulnerabilities in software. These vulnerabilities can be fixed before a cybercriminal exploits them to avoid potentially harmful consequences.

For Visma, it makes sense to maintain a program around bug bounty. The company brings this under the umbrella Visma Security Program. This contains the necessary security steps, measures and requirements to secure business-critical software. Companies covered by Visma use this umbrella program. Possibly also bug bounty, but only after all other security steps have been completed. After all, bug bounty is the final layer of security that can only be used if, as a software vendor, you have done all the necessary to prevent security incidents.

Ready for bug bounty

“Bug bounty is the extra step to catch security issues you cannot cover with other elements. Because hackers look for vulnerabilities differently than with the automatic scans of the program,” Wubben said. When Visma acquires a company, the first thing is to ensure all other security issues are in order. Visma assigns baselines for this. The bug bounty program can only be used when the two highest levels, gold or platinum, are reached. A company reaches this level only after some time and when all vulnerabilities have been resolved with the regular program.

Within Visma, bug bounty is an optional security step. It is recommended, but Visma companies are not required to do it. This is partly driven by the requirements to join the bug bounty program. In addition to demonstrating security level maturity, a team should always be ready to resolve a vulnerability within a short period of time. After all, if a very critical vulnerability is reported, it is important to resolve it as soon as possible.

In addition, money must also be available to pay an ethical hacker nicely. A qualified vulnerability can bring a minimum reward of €100 based on severity. We write qualified here because a reported vulnerability must meet minimum requirements. Depending on the severity, ethical hackers can earn up to €7,500.

Een cartoonillustratie van een man met een vergrootglas die een gestileerd bugsymbool inspecteert, wat duidt op het debuggen van software of kwaliteitsborging.

The extra eyes

“Actually, this is double; on the one hand, it is very annoying that you have such a critical vulnerability, but on the other hand, that is exactly why you do it,” Wubben explains. After all, it is mainly those very critical vulnerabilities that Visma wants to catch with the program. Low-impact vulnerabilities can often do little harm, making it only right to report them. But the big potential leaks are well worth it, says Wubben. “€1 spent on this is €100 saved in the future.”

Bug bounty is also necessary because automatic scans can catch much but not everything. “That ethical hacker looks at it with his background,” Wubben said. For example, participants in the Visma program may have in-depth knowledge of a specific hacking method. By applying that method, the latest vulnerabilities are still found. For example, an ethical hacker can make connections in an application that automated tooling does not, so new vulnerabilities are discovered. “If you open it up to the outside, then you have everything available to test your product,” Wubben concludes about the added value.

Rules for notifications

So basically, through bug bounty, Visma hopes to receive as many notifications as possible, but it all has to be done cleanly. As we wrote a few paragraphs ago, a vulnerability must be qualified to receive a bounty. That’s why Visma works with a portal for ethical hackers. This lists which products are allowed to be tested. They will also find here the conditions of the hacking methods to be applied. The basic rule is “do no harm,” so there should be no intention to destroy software. A DDoS attack is an example of a method that is not respected at bug bounty because Visma takes other measures for that, and that leads to serious disruption.

A hacker who neatly complies with the conditions should eventually provide a proof-of-concept when reported. How does a vulnerability work in practice? “Especially with critical vulnerabilities, good documentation is one of the most important requirements,” says Wubben. With such discoveries, very extensive reports are also common because many actions are often required to exploit them. Most approved reports are about Insecure Direct Object Reference (IDOR), a way of escalating authorizations, and cross-site scripting, where rogue scripts are injected into code. These types of vulnerabilities are part of the average 80 monthly reports.

Visma also makes a point of working with qualified ethical hackers. To do this, they use a private program and a public program. For example, an ethical hacker may be invited to the private program because Visma knows the hacker from previous interactions. According to Wubben, the hackers consider it an honour to be invited to this group. Hackers not invited to the private program can always participate in the public program. The big difference is in which Visma products are allowed to be tested. The participants are also in regular contact with each other.

Vulnerability assessment

The vulnerabilities that hackers report are initially assessed by a team set up by the parent organization Visma. That team is working full-time to assess reported bugs. In addition to the bug bounty reports, these employees review reports from the responsible disclosure program. That, in turn, is the program where ethical hackers can report bugs in software that do not comply with bug bounty rules. They do not receive a monetary reward with responsible disclosure but can choose swag from a web shop as a thank-you gift. In addition, the ethical hacker gets a mention on Visma’s page.

The team that reviews the report looks at whether the documentation has been provided correctly and whether the vulnerability has any chance of success. With them lies the responsibility of accepting the report. Then, they pass the report on to the Visma subsidiary; there, they can better assess the risk. At first, for example, a vulnerability may seem critical if it involves access to a database. However, the team quickly saw that it was a database with public information and not confidential information. It is then good that the notification comes in, but the risk is not very high.

Attention to bug bounty

Visma has a special hacking schedule to allow ethical hackers to test as much as possible. For example, it regularly displays a product for testing. If, after a certain point, the product seems to get less attention from hackers, it may decide to double the rewards for a bug found. That way, it remains attractive to hackers to keep looking for bugs in the software.

Another way to promote testing for Visma is to organize life hack events. Wubben attended an event in Denmark that focused on one specific software product. Visma selected hackers to participate in this life hack event. In the first weeks, they started at home with the first phase of finding vulnerabilities. Then, they met for two days in Denmark, where they could better cooperate and be in close contact with Visma. Visma had a response team immediately available on-site to assess a report. That team determines the priority, which is then tracked in a ranking. In the end, an 18-year-old student managed to find the most vulnerabilities. Besides the money, this also provides status, Wubben said.

It’s a way to keep the community involved in finding vulnerabilities. This is an excellent step to promote bug bounty further and move toward the most secure software possible. Because software is not secure until the last necessary measure is also taken.

Tip: Behind the scenes of cybersecurity: threat intelligence at Visma