A bug bounty program, such as one used by Hyatt Hotels Corporation, can help test a company’s data security, but there are some challenges associated with them.
REPORT FROM THE U.S.—Hotel companies have been popular targets of hackers who look to steal guests’ and employees’ personal and financial information, requiring these companies to improve their security measures.
Part of improving a company’s digital security is testing its systems for flaws and vulnerabilities. Along with testing by an internal security team, some companies, such as Hyatt Hotels Corporation, have turned to setting up bug bounty programs as an additional layer of security.
A bug bounty program is when a company creates a formalized initiative fund rewards for security researchers who find security flaws in that company’s technology, such as their website or app, said Ted Harrington, co-owner and executive partner at Independent Security Evaluators. The company decides what they want researchers to focus on and what it’s willing to pay per verified vulnerability, he said.
Hyatt’s cybersecurity team continuously evaluates and identifies additional strategies to protect its systems and stay ahead of the evolving threat landscape, Benjamin Vaughn, chief information security officer at Hyatt said via email. As an additional layer of security, the team launched a public bug bounty program in 2019 to engage with skilled security researchers around the world.
With the help of a third-party bug bounty platform, Hyatt was able to enlist the services of researchers to safely test specific Hyatt websites and apps for potential vulnerabilities and share that information securely with Hyatt, which in turn addressed those issues, he said.
The vulnerabilities found through the program in 2019 are classified by their severity levels, Vaughn said. While most vulnerability reports the company received have been low severity, it did receive reports that detail incredibly creative attack methods.
“These types of vulnerabilities are challenging to identify given the many complexities involved, but due to our collaboration with bug bounty researchers, we are able to remediate proactively, before the bugs can be used against us by malicious attackers,” he said.
The research has been helpful to Hyatt, but it has also yielded lessons useful for many organizations even outside of the hospitality industry, Vaughn said. The bug bounty program identified a vulnerability in a third-party software package that many companies use that could be exploited to manipulate website content.
“The software provider was not previously aware of this vulnerability and providing Hyatt’s research prompted them to immediately issue a security patch for all of their customers,” he said. “We take great pride in the ability to share this information, knowing that it can positively impact other organizations.”
As Hyatt’s bug bounty program evolves, the company remains committed to engaging with and learning from the cybersecurity research community, Vaughn said. More than 600 researchers participated during the first year, and the company hopes more will join this year, he said. To mark the program’s first anniversary, the company expanded the program’s scope and increased bounty payments to signal its dedication to the research community.
“With this program, we also hope to inspire other companies to consider a bug bounty program for their proactive security efforts,” he said. “We were the first hospitality company to launch a public program, and the key learnings have enabled us to further protect our systems and information, and ultimately better care for our guests, customers and colleagues.”
How do bug bounty programs work?
While companies can set up a bug bounty program on their own, most will use a third-party platform that has expertise in this field because it’s outside of their normal scope of operations, Harrington said. The third-party platform will take the company’s instructions and then advertise to a worldwide group of security researchers the details of the program. The third-party platform acts as a middleman so the company doesn’t have to deal with all of the researchers individually, he said.
The researchers will go to the company’s website or app and try to find vulnerabilities within the scope of the program and what the company has offered rewards for, he said. When they find a vulnerability, they will submit it through the bug bounty program, and the third-party platform typically verifies it is actually a legitimate issue, within the scope of the program and wasn’t previously known to the company. If it qualifies, the platform then issues the reward.
“The vulnerabilities are then shared with the company that’s funding this whole thing, and then the company’s team goes and fixes the issues that have been reported to them,” Harrington said.
Benefits and challenges
Bug bounty programs are useful for companies looking to improve their security, but they only work in conjunction with—not instead of—the company’s existing security team, Harrington said.
When it comes to testing a system’s security, the theory is the more eyes looking at it, the more vulnerabilities they’ll find, he said. It would be impossible to directly hire the same number of people directly or even find them directly, especially on a global scale, so a program like this will opens it up to get a much broader scope of researchers to test the system, he said.
Another reason to use a bug bounty program is an instant return on investment, Harrington said. The bug bounty program only issues a payment if a researcher finds and reports a legitimate vulnerability. When that happens, that’s a literal ROI on the dollar amount paid for the vulnerability by reducing the risk for the company’s digital security, he said.
Having a bug bounty program is also good PR for the company, Harrington said. It’s a powerful way to say the company is taking a specific action to deal with its own security challenges and it wants to work with the community to find the issues, he added.
“This is probably, in my opinion, the most powerful benefit of a bug bounty program: the marketing,” he said.
There are downsides to bug bounty programs, as well. There’s no way to have control over the caliber or skill level of the researchers participating, Harrington said. That’s not necessarily a huge downside, since if the researchers aren’t skilled enough to find anything that meets the program’s requirements, the company doesn’t pay for anything, he said.
“However, this is important to note, because the assumption that you're going to be able to find all these vulnerabilities, well that might not be true, because you might not get people good enough to actually find the vulnerabilities,” he said.
Another challenge is that payments for bounties are often fairly small, Harrington said. While not inherently a problem, as the amount might be enough to motivate someone living in an area with lower cost-of-living expenses, it could mean researchers will focus on the easiest vulnerabilities because the amount might not be worth their time, he said. It might also mean not many would spend their time on the program.
Similarly, if a researcher finds a catastrophic issue, the payment might be too small, comparatively speaking, to turn in, at least to the company funding the program, he said.
“You’re talking about a researcher that you don’t really have an affiliation with who’s motivated by profit,” Harrington said. “They might turn around and sell that to an organization who would be willing to spend a lot of money for those issues, like nation states or organized criminals.”