Bug Bounty Programs
QA process outsourcing
Every piece of software may have bugs that hinder its functionality. Sometimes those bugs can cause security issues. Those issues could be then turned against the user. That’s the exact reason why it’s so important to run an efficient QA process during the development. Regular updates to the already deployed code further help to prevent exploitation. Sometimes, when considering expanded systems, the ones that include programming work of dozens of individual engineers, even thorough testing, done by internal teams is not enough to disable potential errors in the code. In those cases, it’s popular amongst companies to reach out for their own customer base’s help, using a gimmick called – Bug Bounty
Enter Bug Bounties
Wikipedia defines the bug bounties as a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.
It’s a way for freelancers, security enthusiasts, and code purists to earn humongous amounts of money, just for finding that one, single vulnerability. Naturally, the process is not that simple as it sounds – it often involves countless hours spent in front of the computer – turning it into a more than a full-time job. The rewards are worth it. Facebook, Yahoo, Google, Microsoft, and all the other giants, pay out hundreds of dollars to the successful bug-hunters. It is a win-win situation for both sides. The corporations prevent notable losses and expenses that would be otherwise spent on public compensations, land in the tester’s pockets. The activity, over the last few years, became so popular that it even spawned multiple online communities that gather together professional bug hunters, on web forums, subreddits, and dedicated discord channels.
Get a bounty bug, for finding a bug
Historically the first bug bounty program what is officially recognised by the community is the one introduced in 1983, was the one launched by a company called Hunter and Ready Inc. With their product – VTRX or Versitaile Real-Time Executive – an operating system powering the Hubble Space Telescope, they invited the freelancers and “hackers”, to find vulnerabilities in their system – offering a Volkswagen Bettle as a reward. Initially, the program was intended to be a publicity stunt, with marketing communication suggesting that the OS is so impervious, that finding a bug, will be near impossible. In the end, it provided the creators with an extensive list of vulnerabilities to make the system bulletproof.
Lots of companies followed the concept and started offering similar bounties to enthusiasts, and nearly a decade later, Netscape’s tech support engineer Jarrett Ridlinghafer, forged the name “Bug Bounty”. He noticed that a big chunk of the customer base consists of developers and programmers, who once they found a problem in Netscape’s software, published workarounds, and community patches by themselves. The concept stuck with the board of the company, and officially, on October 10th, 1995, the first real Bug Bounty program was launched for Netscape Navigator 2.0 Beta.
iDefense followed in 2002, and Mozilla in 2004, by creating a program that runs up to this day. All those revolutionary ideas have made way for the modern, efficient error spotting systems and applications, that nowadays are offered as services, products, and SaaS platforms
In 2010, Google created the Vulnerability Reward Program, which is maintained even today – offering rewards for spotting bugs in multiple Google products, with rewards ranging between $500 and close to $32.000.
Microsoft maintains a couple of different Bug Bounty programs, that offer up to $250.000 for a valid bug. Apple has its own, Github, Uber, Sony… basically every tech company out there. Samsung offers rewards of $200.000 to people able to “hack” their phones.
Facebook with multiple partners, runs The Internet Bug Bounty, covering a multitude of different internet services and applications. Today, the approach is so popular, that even the government agencies provide rewards to the tech-savvy people – with Hack the Pentagon run by the US Department of Defense, and EU-FOSSA 2, by the European Commission as an example.
It’s more than just the money
There are different rewards than just money. While financial gratification is the most popular way to say “thanks” to the hunters, some companies found different ideas to motivate their respective communities. Lufthansa and United Airlines gives the Miles & More points, that can be used for the Star Alliance services, which include airplane tickets, discounts, and VIP lounge memberships. More and more payouts are sent out with cryptocurrencies, and some companies just hand out their products as the rewards. The reaction time is a key factor for businesses. Even the most extensive list of vulnerabilities is worthless if those vulnerabilities are not fixed – some companies do it lightning-fast, especially when the personal data is concerned.
Introducing a bug bounty program, allows many organizations to have a better view of the problems regarding the software and the applications that they offer to the public, while at the same time providing an image, of a trustworthy and transparent company. Properly scaled rewards are good motivation for the people outside, to spend their time making somebody else’s products better – while at the same time, giving space for “hacking” enthusiasts to engage in their hobby wearing white hats.
This process is sometimes reversed and monetized by the software companies. Most of the software houses run Quality Assurance teams, whose purpose is to test, check, and verify every single line of code, written by their co-workers. A job that develops a very unique skill, and mindset can be offered outside – allowing other developers, to have a dedicated team of engineers, that can try to attack a website, product, or application, with a defined and documented method. Either way, The Bug Bounties provide satisfying and rewarding activities, for the specialists, which creates a unique win-win scenario for the development community.