A bug bounty program or “Bug Bounty” for its acronym in English, is an agreement offered by web platforms, organizations and software developers through which researchers can receive recognition and financial compensation for reporting security bugs, especially those related to exploits and vulnerabilities .
These vulnerability management programs allow developers to discover and resolve bugs before they become known to the general public, preventing incidents of widespread abuse.
They operate under the premise of a vulnerability non-disclosure agreement (disclosure guidelines), that is, the content of the report will be made available to the security team and will not be public so that they have enough time until they can publish a correction.
Once the report is closed, the investigator or security team can request public disclosure .
Bug bounty programs have been implemented over the years by a large number of organizations, including companies like Facebook, Mozilla, Microsoft, Google, Twitter, Intel, Apple, Tesla, Paypal, Uber , etc.
Companies outside the tech industry, including traditionally conservative organizations like the United States Department of Defense (DoD) , have begun using bug bounty programs.
The use of the Pentagon bug bounty program known as “Hack the Pentagon”it follows a shift in posture that has led several US government agencies to invite hackers to participate as part of a comprehensive vulnerability disclosure framework or policy.
The DoD programs “Hack the Army”, “Hack the Air Force”, “Hack the Defense Travel System” and “Hack the Marine Corps” are well known .
Other public bodies such as the Finnish Ministry of Foreign Affairs have also taken advantage of the first service of vulnerabilities and economic rewards in Northern Europe (Nordic countries) coordinated by the Finnish company Hackrfi .
Developing secure software is difficult, even for experienced programmers who understand security concepts. Because building vulnerability-proof systems is such a challenge, more and more companies are choosing to implement bug bounty programs.
Interest in bug bounty programs continues to grow, and for good reason, they offer a great way to align the interests of companies that need to improve security with the people best able to deliver that security:
– hackers test their skills for profit and companies minimize their costs because payment for the service is only required for those who find vulnerabilities within the scope of the program.
Bug bounty programs vary in scope and amount based on potential vulnerabilities.
According to statistics, around 2 billion lines of code are released each week with over 110 billion lines of software code created in the year 2017 alone.
Bugcrowd , a company specializing in crowdsourced security , reported that their program of bug bounty totaled more than $6 million in 2017 and that 77% of all bug bounty programs had their first vulnerability detected and reported within 24 hours of announcing the program.
On the other hand, the platformHackerOne throws, among others, the following data corresponding to the past year 2021 :
- Bug Bounty programs are growing across all industries, increasing 34% in 2021 .
- hackers reported 66,547 valid bugs in 2021 – a 21% increase from 2020.
- the median price of a critical bug increased from $2,500 in 2020 to $3,000 in 2021 .
- In the past year, the industry-wide average vulnerability resolution time has dropped by 19% : from 33 to 26.7 days.
- Today, leading CISOs and security teams are leveraging the skills and experience of a professional and engaged community of hackers as a core strategy of their security testing: knowing which vulnerabilities are being prioritized, how they are being fixed, and what value is being placed on them. attributes, you can help them create or improve their own security testing program.