Bug Bounties Aren't Silver Bullet for Better Security

Many organizations may find they're better off hiring pen testers and in-house security researchers directly than running bug bounty programs, according to new MIT research. From a report: The New Solutions for Cybersecurity paper features a surprising analysis of bug bounty programs in the chapter, Fixing a Hole: The Labor Market for Bugs. It studied 61 HackerOne bounty programs over 23 months -- including those run for Twitter, Coinbase, Square and other big names -- and one Facebook program over 45 months. It claimed that, contrary to industry hype, organizations running these programs don't benefit from a large pool of white hats probing their products. Instead, an elite few produce the biggest volume and highest quality of bug reports across multiple products, earning the biggest slice of available rewards. It's also claimed that even these elite "top 1%" ethical hackers can't make a decent wage by Western standards.

False dichotomy

[Shaitan]

"Many organizations may find they're better off hiring pen testers and in-house security researchers directly than running bug bounty programs"

There is no reason you can't do both. Hell the ones you hire can even be eligible for the bounties as bonuses. It's a built in incentive program.

"Instead, an elite few produce the biggest volume and highest quality of bug reports across multiple products, earning the biggest slice of available rewards. It's also claimed that even these elite "top 1%" ethical hackers can't make a decent wage by Western standards."

Obviously the bounties are too low and/or the bugs aren't being acknowledged properly and paid out.