Bug Bounty Programs are incentives offered to end-users of a platform — a website, video game, or software application — to find and report bugs. Through these programs, large-scale companies can effectively continue beta testing after a limited release, or even a full launch. The phrase “bug bounty” was coined for the Versatile Real-Time Executive (VRTE) operating system in 1983 by Mentor Graphics (now a division of Siemens). The company reportedly gave out Volkswagen Beetles as a reward for finding major system bugs. That the car itself was also known as a “bug” lent itself to the double entendre.
Bug bounties were popularized by an engineer for Netscape named Jarrett Ridlinghafer, after he noticed that some of their die-hard consumers were finding bugs and publishing workarounds on their own time. He reasoned that this external beta testing could be used for the company’s benefit, so he set up a program called The Netscape Bugs Bounty Program that incentivized findings. After some pushback from upper management about the effectiveness of the program, the first official bugs bounty program was launched for Netscape in 1995.
Why Use Bug Bounty Programs?
Freelance software developers receive many benefits for participation: the hands-on experience of testing a real-word application that is already available to the public; the recognition of valuable contribution on their resume; and, of course, whichever cash and prizes are afforded the victors. Today, bug bounty programs have taken the form of “White Hat” programs that are much more lucrative than the early days. It is not uncommon for one of the billion-dollar software companies to pay out tens of millions in bounties per year, with individual prizes as high as $200,000 USD. In 2018, an intrepid individual or team of developers can make a living finding bugs in large-scale programs.
There are several benefits for the companies offering the bug bounty programs as well. Most importantly, the programs are highly effective at finding bugs due to its much wider net for highly-skilled testers. Through bug bounties, companies can expand their QA departments without hiring in-house testers, as they can just offer what their budget allows and let the testers decide to accept the terms. Beyond that, using freelance software developers who might otherwise become “black hat” hackers eliminates a significant security risk by bringing these individuals into the fold. For organizations that use private information, for instance, a large web of expertise can be invaluable and there can never be too many tests.
Bug Bounty Program Management Today
Technology behemoths like Facebook, Google, PayPal, and Apple all use bug bounty programs. These companies probably realized that the scale of their initiatives required extra hands to produce within fiscal deadlines, and that the programs are more efficient than hiring more QA help in many cases. Upstart companies can offset their QA limitations using bug bounty programs, both as a way to expand expertise and a way to save on testing overhead. Having additional eyes and hands on your applications, it is very useful.
We can setup your program, responsible disclosure, bug bounties, manage the communication with hackers, researchers, triage and test the vulnerabilities and help your developer team to fix the issues.
For more information on ArtsSec’s Bug Bounty Program, visit our services page.
