The security industry is really good at doing anything other than what actually makes the most sense to improve the poor state of security, which goes a long way to explaining why things are so bad despite so much money being spent. Bug bounty programs are a perfect example of that. That was recently highlighted by someone claiming to have found security issues in an Indian McDonalds app after noticing it had a bug bounty program.

What they described is finding almost non-existent security, which they found by going through a lot of trial and error. Otherwise known as the more legitimate form of penetration testing. Looking at the source code would have been a much quicker way to find that and probably even more issues. Somehow their take away from that was that the relevant company was taking security more seriously because there was a bug bounty program:

I would also like to specifically call out the fact that a bug bounty exists for this system is awesome. McDonald’s USA doesn’t care enough to make an official bug bounty. Even HackerOne called them out on it! It’s interesting McDonald’s India takes security more seriously. While such severe security flaws were surprising to see in a mature system that has been around for many years, I’m glad they had the foresight to create a bug bounty program. Many other companies can learn from them.

Clearly the company wasn’t taking security seriously. As they had almost non-existent security and hadn’t hired someone to review their code to find that for years. If anything, that situation suggests that having a bug bounty program might correlate with not taking security seriously.

Why is the security industry pushing bug bounty programs if they are at best an inefficient way to address security problems? A lot of the answer seems to be money. The HackerOne mentioned in that quote makes money as acting as a middleman in between “security researchers” and companies. Take away bug bounty programs and they don’t have a business. Then you have the people who are able to charge large sums of money for often not-legitimate penetration testing to unsuspecting companies. Bug bounty programs are often basically an uncompensated or lightly compensated penetration testing. Another part of this is much of the security industry are not technically capable of securing software, they are able to do penetration testing because it doesn’t require the same technical capability. To fix the issues, you still need someone who is technically capable of securing software, so either penetration testing like this requires even more spending, or as is too often the case, the issues don’t get resolved.

For the WordPress community, the better solution than bug bounties would be for plugin developers to spend money on security reviews (either in house or from a qualified security provider) and for websites that could afford a bug bounty to instead spend the money on security reviews as well.