In today’s digital age, any website, software, application, and operating system vulnerability – or “bug” – must be addressed so that the flaw won’t be exploited by malicious parties. The bug bounty program was created to help resolve these errors.
A bug bounty program works like a rewards program wherein folks – such as security researchers and white hat hackers – who report the coding mistakes or system faults get cash rewards. The amount awarded depends on the scale of impact and the severity of attack scenario created by the discovered vulnerability.
The bug bounty program essentially supplements a website’s, software company’s, and application or OS vendor’s internal audit and penetration testing strategy. It also functions as an incentive that drives product improvement so that updates can patch the bug. Besides, awarding cash to the individuals who discover the vulnerability helps deter the sale of the bug’s information on the black market.
As Adam Mein, a spokesman for Google’s Vulnerability Reward Program (VRP), has stated, “We get more bug reports, which means we get more bug fixes, which means a better experience for our users. We also develop positive relationships with the researchers who are finding these bugs.”
Of course, bug bounty programs aren’t without controversy. There’s concern, for instance, of the double-dipping possibility wherein a hacker might collect the prize for discovering the bug and reporting it to the website or vendor and yet still sell that same information to malicious buyers who would exploit the vulnerability further before internal review and remediation can create the necessary patch.
Nonetheless, it is believed these cash bounties help bring press coverage as well as raise consumer awareness about security vulnerabilities. Moreover, there have been cases where bug hunters get hired full-time to be a security researcher in the website’s or the vendor’s IT department.
Then there are those bounties that have evolved into larger cash prizes for the most cutting-edge prototype in design or implementation that a white hat or a security researcher can develop to prevent exploitation. In other words, these larger cash prizes are a more enterprising bug bounty program because they reward work on larger-scale innovative solutions and thereby go beyond the typical ‘pay per vulnerability’ programs.
Various legal points, however, are associated with the business of bug bounty programs. Should you be interested in becoming a bug hunter who wants remuneration from a specific bug bounty program, then you’ll have to abide by the rules and stipulations itemized in that program’s policy page.