See Our team
Wondering how we keep quality?
Got unsolved questions? Ask Questions
Bug bounty program
How to study this subject
Notes from other sources
A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.
These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse. Bug bounty programs have been implemented by a large number of organizations, including Mozilla, Facebook,Yahoo!, Google, Reddit, Square, Microsoft,and the Internet bug bounty.
Companies outside the technology industry, including traditionally conservative organizations like the United States Department of Defense, have started using bug bounty programs.The Pentagon's use of bug bounty programs is part of a posture shift that has seen several US Government Agencies reverse course from threatening white hat hackers with legal recourse to inviting them to participate as part of a comprehensive vulnerability disclosure framework or policy.
Bug bounty programs allow independent security researchers to report bugs to an organization and receive rewards or compensation. These bugs are usually security exploits and vulnerabilities, though they can also include process issues, hardware flaws, and so on.
The reports are typically made through a program run by an independent third party (like Bugcrowd or HackerOne). The organization will set up (and run) a program curated to the organization's needs.
Programs may be private (invite-only) where reports are kept confidential to the organization or public (where anyone can sign up and join). They can take place over a set time frame or with no end date (though the second option is more common).
Who uses bug bounty programs?
Many major organizations use bug bounties as a part of their security program, including AOL, Android, Apple, Digital Ocean, and Goldman Sachs. You can view a list of all the programs offered by major bug bounty providers, Bugcrowd and HackerOne, at these links.
Why do companies use bug bounty programs?
Bug bounty programs give companies the ability to harness a large group of hackers in order to find bugs in their code.
This gives them access to a larger number of hackers or testers than they would be able to access on a one-on-one basis. It can also increase the chances that bugs are found and reported to them before malicious hackers can exploit them.
It can also be a good public relations choice for a firm. As bug bounties have become more common, having a bug bounty program can signal to the public and even regulators that an organization has a mature security program.
This trend is likely to continue, as some have started to see bug bounty programs as an industry standard which all organizations should invest in.
Why do researchers and hackers participate in bug bounty programs?
Finding and reporting bugs via a bug bounty program can result in both cash bonuses and recognition. In some cases, it can be a great way to show real-world experience when you're looking for a job, or can even help introduce you to folks on the security team inside an organization.
This can be full time income for some folks, income to supplement a job, or a way to show off your skills and get a full time job.
It can also be fun! It's a great (legal) chance to test out your skills against massive corporations and government agencies.
What are the disadvantages of a bug bounty program for independent researchers and hackers?
A lot of hackers participate in these types of programs, and it can be difficult to make a significant amount of money on the platform.
In order to claim the reward, the hacker needs to be the first person to submit the bug to the program. That means that in practice, you might spend weeks looking for a bug to exploit, only to be the second person to report it and make no money.
Roughly 97% of participants on major bug bounty platforms have never sold a bug.
In fact, a 2019 report from HackerOne confirmed that out of more than 300,000 registered users, only around 2.5% received a bounty in their time on the platform.
Essentially, most hackers aren't making much money on these platforms, and very few are making enough to replace a full time salary (plus they don't have benefits like vacation days, health insurance, and retirement planning).
What are the disadvantages of bug bounty programs for organizations?
These programs are only beneficial if the program results in the organization finding problems that they weren't able to find themselves (and if they can fix those problems)!