It goes without saying that vulnerabilities are costly – which is why some of the largest corporations in the world offer rewards to hackers who discover the weaknesses in their systems. A bug bounty rewards white hat hackers for discovering vulnerabilities in websites, applications and even whole systems. This gives IT teams the chance to solve the issues before they are exploited by individuals who wish to damage the business.
Bug bounties are used by companies like Microsoft and Apple, in fact almost all major technology companies employ this tactic. Now businesses that are outside of the tech industry are switching on to their value and beginning to implement bounties as part of their cyber security measures. One of the biggest pluses for offering a bug bounty, even in those organisations with established and capable IT teams is that more eyes will be looking for vulnerabilities, meaning they are more likely to be picked up.
The cost of a bug bounty varies, with some firms known to offer in excess of $100,000. This is balanced by the knowledge that the costs of a vulnerability being exposed can be far greater. A hack is not just damaging to reputation, it also raises the unpalatable prospect of vital customer data being compromised, potentially leading to a whole host of other problems including identity fraud and theft. If a bug bounty can save a business from the huge costs involved with cleaning up post hack, then it is well worth pursuing.
Penetration testing is the only real alternative to a bug bounty programme. These can be costly to implement and there is no guarantee they will get results. Usually they are undertaken by a small team guaranteed to be paid even without a vulnerability being discovered. In comparison, bug bounties work because the financial incentive drives hackers to find existing issues.
Services like Bugcrowd (which was established in 2012) make it easy for any size of company to run a bug bounty program. The platform invites organisations to run a bug bounty system with rewards advertised to white hat hackers. Spreading the word to inform more hackers about the potential rewards available means that more hackers will be scouring websites, applications and systems for vulnerabilities. All of this greatly increases the chances of flaws being found and systems made more secure as a result.