As the political climate heats up, so does thenew era for cyberwarfare. In recent history, nation statessupplemented military conflict with attacks on digitalinfrastructure to either gather intelligence or cause outages, butnow with their high impact and versatile usage, there is morereason to include cyber attacks not only before, but during andafter conflicts. Actually, there is no reason to stop. In order tomaximize effectiveness, cyber attackers target not onlygovernment-owned equipment, but banks, transport and infrastructureto cause damage. Securing one set of systems is already achallenge, and now we have a problem of securing an entire nation'ssystems.

One place to start is to rewardthe good guys who find vulnerabilities and report them.

The phrase “bug bounty” has gonemainstream as Microsoft, Google, Facebook, General Motors and evenStarbucks have turned to the crowd for help in fixing securityproblems. But for all the success that some have achieved withtheir bug bounty programs, others — like Apple and DJI — have run into trouble. And that'sconsidering companies that have introduced these programs in thefirst place; at most organizations, the bug bounty adoption curveis virtually non-existent.

However, the bug bounty systemhas problems. Organizations' varied attempts at approaching suchprograms reflects their failure to not only understand hackerincentives, but collaborate on solving a shared problem. What bugbounties are missing is a way to standardize and mitigate risk. Infact, bug bounty programs have a lot to learn from an industry that exists solely to manage risk:insurance.

The bug bounty market is stillrelatively nascent, and it is broken. I propose a new way to lookat crowdsourced security. Here's how one of the world's oldestindustries can help.

Related: Key takeaways from Marsh's 'The Internet ofEverything' report

The ugly bug

Let's first take a look at thecurrent affairs of bug bounties. Despite their potential asmarketplaces with perfectly aligned incentives (in theory), thereality is most companies struggle to formally get such programs upand running. Even with new technology making crowdsourcedvulnerability reporting possible, every bug bounty program stillfalls under the responsibility of the individual company toestablish its own rules and payout structures. From the point ofview of a hacker, this means each program looks different:Disclosure stipulations and response times vary wildly, and it'susually impossible to find the correct point of contact.

Google and Facebook are notableexceptions and should serve as the example for everyone else. Totalpayouts reflect their efficacy: Facebook paid out $880,000 in 2017with a respectable average bounty of$1,900, and Google coughed up $3 million in 2016. Butwhat about all other companies, especially those in technology?Their collective payouts are pocket change by comparison — andthat's if they offer a program at all.

At the core of the adoption issueis a lack of transparency. Most companies list a minimum payout,which is great for low-priority bugs. But most don't declare amaximum. That's a buzzkill for hackers, regardless of theirintentions – they're left in the dark on whether it's worth thetime and effort to report a bug if they don't know what they willreceive in return. And in the case of grey and black hats, if thebug bounty can't guarantee a worthwhile payment upfront, hackersare sure to turn instead to the underground marketplace for theirreward, racking up clean-up costs to the potential millionsdepending on the severity of the vulnerability. Places like Dream,Hansa and Alphabay exist on the dark web because people pay forthis data and access. Zerodium built a business model of paying large bounties in bitcoin for reliableexploits. If that fails, well, money can be made by announcing thehack and shorting their stock instead.

For hackers, the economics of thetypical bug bounty isnt worth the trouble. This needs tochange.

Related: Insurance and corporate vigilance against cyberbreaches: 5 steps to take

Borrowing from insurance

To cure their woes, the bugbounty industry should look no further than risk pooling. Bestknown as a common insurance practice, a risk pool combines largenumbers of people to minimize the cost impact of the highest-riskindividuals in the group. Health and auto insurance companies, forexample, use risk pooling by insuring people who areunlikely to need protection in order to cover the cost ofpeople who are more likely to need it. This reduces costs for boththe insurance carrier and its customers.

Just like insurers and the insured, companies need to worktogether to mitigate risk. Here is where a joint bug bounty systemcomes in. Instead of a single organization paying out a bounty,companies should create a shared pool of rewards and, to ensureprivacy across parties, host it on an established system likeHackerOne or Bugcrowd.

With a unified bug bounty system, companies small and large canlay out a shared set of criteria on reporting practices, payoutmaximums and minimums and clear guidelines on what constitutes abug. In turn, companies will have access to richer informationabout their peers and can ensure their payouts and pay-ins alignwith the industry's “going rate” for continued engagement with thehacker community. What's more, companies can share informationabout disclosures and use that insight to inform their own securityoperations and developers.

It's time for bug bounty programs to get smart on incentives.Software and non-software companies alike need to incentivizehackers to do the right thing. Hackers shouldn't think twice aboutreporting major issues. Companies need to establish programs thatwork. Otherwise, they are simply asking to leak their importantvulnerability information to dark places.

Either that or we can wait for this cyber thing to blowover.

Related: 'Petya' will make you 'WannaCry' if your company'sdata is compromised

Matthew Honea is the cyber director at Cyence, aproduct family of Guidewire, where he spends most of his time onresearch and development related to cybersecurity. He can bereached at [email protected].