Bug bounty programs are becoming increasingly popular on the web and are being promoted by major Silicon Valley companies such as Facebook, Yahoo!, Google, Reddit, and Square.
What is a bug bounty and how does it work?
A bug bounty is an initiative that calls on hackers to detect loopholes, or anomalies, in a company’s computer system. Their goal is to infiltrate the company’s system as much as possible to discover all possible flaws in order to estimate their level of severity and potential for exploitation. The company is then notified if a security breach has been found, so it can be corrected. This type of service is often used by large companies to improve their their security.
Hackers are compensated according to the level of difficulty involved in detecting security flaws, the time it takes to discover such flaws, and the budget companies allocate for rewards. Of course, the more difficult a task, more likely it is to inspire hackers to action.
Regardless of the size of a company or its infrastructure, it is often difficult for system designers to imagine how their products will hold up under real world conditions.
The bug bounty was put out in 1995 by Netscape to find weaknesses in its browser’s security system, and thus to reinforce it. This first bounty was a huge success and other companies followed suit by starting their own programs.
There are also bug bounty platforms that are open to any company, such as the European platform bountyfactory, which is open to anyone wishing to test their computer system.
Bug bounties can be open to the public, enabling hackers from all walks of life to contribute, or remain private, targeting a particular community of hackers for the sake of confidentiality, which is sometimes necessary depending on the mission at hand.
Are there any security risks for companies?
Bug bounties are programs that allow hackers to compete with each other and build a good reputation in their community. This forms part of what is often referred to as « white hat » activity. These hackers are security experts with a code of ethics. Their aim is precisely to find loopholes and to warn the user, the company, or the creator of the product. On the contrary, a « black hat » hacker is looks for flaws with malicious intent.
Bug bounty programs allow hackers to put themselves in the public domain, depending on the quality of the work they provide. As a result, they gain notoriety and are paid by companies for their services. In fact, rewards can be extremely large. Microsoft paid James Forshaw $100,000 for detecting a vulnerability in the Windows 8.1 operating system. Hackers chasing a bug bounty therefore have a greater interest in completing their mission and reporting flaws than exploiting them for dubious purposes.
Some companies still have difficulty in accepting that having their services analyzed and tested is necessary. Perhaps this is out of reluctance, since such a procedure may expose poor quality on the client’s part.
However, policies of ignorance have never proved ideal when it comes to IT security. It is far more sensible to protect your website against hacks than to find your customer files or user database on the Internet, which can usually be downloaded freely.