Bug Bounty Programs: A Quick Guide

Heard a lot about bug bounty programs but not really sure what they are? Read on…

Threat Intel

Published in

Threat Intel

5 min readFeb 1, 2018

What is a bug bounty program?

Bug bounty programs offer rewards to people who discover bugs, such as exploits and vulnerabilities, in a company’s software. They are not run by every company, but an increasing amount of companies are implementing bug bounty programs. They reward “white hat” hackers (basically, “good” hackers) who report any bugs they discover to the makers of the product or software, rather than revealing them publicly, attempting to exploit them, or selling them on underground markets.

When did bug bounty programs begin?

It is generally accepted that the first bug bounty program was created by an engineer called Jarrett Ridlinghafer when he was working at Netscape in 1995. Ridlinghafer proposed to executives at the company that they offer cash rewards to hackers who found bugs in the software and disclosed it to them. That was almost 23 years ago, and the rest is history.

How do bug bounty programs work?

Different programs have different rules. Generally, established bug bounty programs will have clear parameters that outline the types of vulnerabilities or exploits eligible under the program, and the services or software the company wants researchers to investigate for vulnerabilities. Many programs also have predetermined amounts that they pay out in bounties for the discovery of specific bugs. Generally, the more serious the bug discovered the higher the bounty on offer. The bounty payouts can get pretty high. Recently, a researcher claimed $105,000 via Google’s Android Security Rewards program for discovering and disclosing an Android exploit chain impacting Google’s Pixel handset. This was the highest bounty Google has ever paid out — so far. While that was an exceptionally large bounty, some bounties for less serious flaws can be a few hundred or couple of thousand dollars.

Recent research from bug bounty platform HackerOne revealed that ethical hackers who participate in bug bounty programs can earn more than double the salary of a software engineer in their country. Hackers from India are the top participants in the HackerOne bug bounty programs, and top hackers in that country can earn as much as 16 times the median salary of an engineer working there.

Some top bug hunters can earn multiples of a software engineer’s salary

What is responsible disclosure?

Responsible disclosure is basically an agreement between software vendors and security researchers that the researchers will report any bugs discovered to the vendor of the affected software before disclosing the bugs publicly. Generally, the researcher and vendor agree on a time period during which the vendor will issue patches for the bugs before the security researcher publicly releases information about the bugs they discovered. A generally accepted period is 90 days between when the researcher tells the software vendor and when they disclose the bug publicly, though this can sometimes be extended if all parties agree, as was the case with the recent Spectre/Meltdown vulnerabilities. In that case, the gap between private and public disclosure was almost seven months. Obviously, the reason responsible disclosure exists is so that baddies can’t exploit discovered vulnerabilities before the software owners have a chance to patch them. However, the issue with having lengthy periods between the discovery of a vulnerability and the public being made aware of it is that if a “good guy” was able to find the vulnerability then a “bad guy” may be able to as well. For this reason, if a researcher does not receive a response from a company about a bug discovery within 90 days it is generally considered fair, and still “responsible”, for them to then go public about their discovery.

What companies run bug bounty programs?

A vast array of companies now have bug bounty programs in place, though the rules, regulations, and bounties on offer can vary. Most programs are open to any ethical hackers who wish to participate, though some, like Apple’s, are invite only, and only open to certain security researchers. The top bounty offered by Apple’s bug bounty program is $200,000 but, according to media reports, it’s not known if anyone has ever reported a bug and received a reward through this program. One reason for this may be that vulnerabilities in Apple products are hugely valuable on the so-called “gray” market for exploits. For example, controversial exploit broker Zerodium will pay as much as $1.5 million for certain iOS flaws.

Apple launched its bug bounty program relatively recently, in late 2016. Most other large tech companies have had bug bounty programs running for longer than that. Among the companies with bug bounty programs are big names like Google , Facebook, Microsoft, and GitHub. The bounties paid out vary widely, but as said above, the rewards for researchers can be significant. Between 2010 and 2016 Google paid out a total of $9 million through its Vulnerability Reward Programs.

Bug bounty programs are such big business now that platforms like HackerOne and BugCrowd have been launched to bring researchers and businesses together, and to run bug bounty programs on behalf of organizations. The U.S. government has even teamed up with HackerOne: first in April 2016 when the Department of Defense (DoD) launched the “Hack the Pentagon” program. For 24 days, pre-selected security researchers were able to search for bugs on specific DoD websites. As a result of this program the DoD resolved 138 unique vulnerabilities. The program was such a success that it has subsequently been followed up with similar “Hack the Army” and “Hack the Air Force” programs.

Bug bounty programs make a lot of sense for companies: the rewards paid out are small change compared to the damage to business and reputation that a malicious cyber attacker could do to an organization if they exploited a vulnerability to steal information or stop operations.

The biggest threat to the success of these programs is likely to remain the huge payouts on offer from “gray area” exploit brokers: it will be interesting to see if companies will be forced to raise the bounties they offer in response to such competition.

Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cybersecurity.

Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.