Cyber attacks are becoming more and more common these days, with hackers exploiting various vulnerabilities that had gone below the radar. Thankfully, however, bug bounty programs are also more frequent these days, and the number of researchers taking part in cleaning up the mess is growing constantly.
These bug bounty programs, whether run in-house or via a platform such as Hacker One, are extremely important – they challenge white hats and researchers to go through the code of certain software with a fine-tooth comb and find the vulnerabilities. They don’t just do it out of the goodness of their heart, because they get paid for it. It’s a win-win situation where hackers get paid in accordance to the seriousness of the bug they discovered.
The company verifies the vulnerability, creates a patch, and the result is that millions of users are instantly safe. Of course, when we’re talking about companies such as Google, Facebook, Microsoft or Apple, we’re also talking about billions of users, not just millions.
It’s this type of programs, alongside hackathons where hackers get together and compete against each other, that make the cyber world safer. Sure, the companies behind the software or platforms we’re using online have their own people going over the code looking for issues, but it’s always better to have more eyes searching for the needle in the haystack.
Google, for instance, has an in-house Vulnerability Reward Program. Ethical hackers are invited to look for any issue with google.com, youtube.com, blogger.com, as well as any Google-developed apps and extensions found in the Google Play or iTunes app stores, or in the Chrome Web Store. Additional programs are run for hackers looking for Android or Chrome bugs.
For Android bugs, for instance, Google pays up to $330 for low severity bugs and up to $200,000 for critical issues. Those who find Chrome bugs can get anywhere up to $500 for smaller issues they may discover, or up to $15,000 for more serious problems.
Government participation in Bug Bounty programs
And it’s not just tech firms that are taking advantage of the knowledge and experience of ethical hackers and security researchers, but also the US government. For instance, the Hack the Pentagon program was quite successful – for a limited number of days, hackers got to look through a limited section of the Pentagon’s structure. By the end of it all, north of $70,000 had been paid to researchers for 138 vulnerabilities. Then, the Hack the Air Force program took place earlier this summer, but there’s been no report on the paid bounties or the findings.
Bug bounty programs used to be controversial, as many companies believed they would only paint a big bull’s-eye on them, inviting hackers with questionable ethics dig through their platforms. Nowadays, however, the situation has changed dramatically. Not only are companies willing to put themselves out there in order to discover vulnerabilities that may have slipped under the table in order to avoid security breaches that could be catastrophic, but so is the government.
In fact, after the Pentagon opened some of its doors to white hats, more and more government entities are leaning towards doing the same.
The reasons are simple – bug bounty programs help make the world safer. The more they expand, the more they grow, and the more companies accept that this is, in fact, the future, the safer we’ll all be.