The growth of ethical ‘bug bounty’ hacking

Not all hackers have bad intentions and motivations. There are thousands of ‘white hat’ hackers who act, they would say, with an ethical motive and not with the typical malicious intent associated with hacking. 

Within this field is an activity termed ‘bug bounty’ hunting which collectively fetches tens of millions of pounds per year for those who find these bugs and claim a reward. 

What is a ‘bug bounty’ what are its origins? 

Bug bounty programs are offered by many organisations, websites and software developers and allow individuals to receive recognition and compensation (bounty) for reporting bugs, particularly those involving security exploits and vulnerabilities. 

If a hacker spots problems and can report these with sufficient evidence, organisations will often provide significant financial reward as it enables them to tighten their security and potentially patch issues which could result in sizeable losses for them. 

Supposedly the first known bug bounty program was initiated by Hunter and Ready in 1983 for their Real-Time Executive operating system. Those who found and reported a bug received a Volkswagen Beetle (a.k.a Bug) in return. 

12 years later, in 1995, the phrase ‘bug bounty’ was coined at Netscape as part of their new ‘Netscape Bugs Bounty Program’ which would reward those who could report bugs in their browser. In October 1995, Netscape launched the first technology bug bounty program for the Netscape Navigator 2.0 Beta browser. 

Today, a large number of organisations have bug bounty programs, including many well-known companies such as Microsoft, Google, Facebook and Mozilla. These programs allow developers to resolve bugs before they become public knowledge, and so often preventing incidents of widespread abuse. 

The money involved in bug bounties 

The bug bounty market is now worth millions. Google said they had paid more than $6.7m in rewards in 2020, which took the total pay-outs made by the company to roughly $28m.  

Microsoft, on the other hand, revealed in July they had paid out $13.6m in rewards within the past year, with the biggest single reward a massive $200,000. The giant also announced this week the addition its Power Platform to their bug bounty program, with the largest single pay-out at $20,000. 

HackerOne, one of the largest administrators of bug bounty programs, with clients such as the US Department of Defence and Google, revealed some of the huge figures involved with bug bounties in September last year. 

For the 181,000 vulnerabilities that had been reported at that time, over $100m had been paid out to hackers signed up to its service. In the year leading up to September 2020, $44.75m had been awarded to hackers – a year-on-year increase of 86 percent in total bounties paid. 

The average amount paid per vulnerability is $979, with critical vulnerabilities bringing in even more at $3,650. 

The benefits of bug bounty programs 

So what has caused the growth in bug bounty hacking? More recently, the pandemic caused a surge in bounty hunting by hackers. HackerOne said new hacker signups increased by 59 percent in the months following the start of the pandemic, and a survey by the company indicated 38 percent of participants had spent more time hacking after the Covid-19 outbreak began and the stay-at-home rules were introduced.  

But there are many benefits for companies to have bug bounty programs and more are releasing them. 

• Increased detection of vulnerabilities – bug bounties provide a platform and incentive for vulnerabilities to be detected. If vulnerabilities are found by threat actors before they can be resolved, the consequences could be severe. By finding bugs beforehand, the likelihood of attacks decreases and helps to protect the company’s reputation.  
• Finding real-world vulnerabilities – bug bounty hunters act like a cybercriminal would and so find vulnerabilities that more structured testing might not. 
• Reduced costs – paying someone to find vulnerabilities is proactive and can potentially be significantly cheaper than remediating an incident once it has happened. The rewards are also only paid if the bugs are found, rather than employing somebody to find bugs on a permanent contractual basis. 
• Greater access to talent – having a generic bug bounty program rather than employing people in-house allows for the pool of talent to be greatly expanded. Many participants in this activity are highly skilled but may prefer to work on a freelance basis for many companies. 

Summary  

Bug bounties are becoming increasingly common as a way for organisations to mitigate vulnerabilities in their systems. There can be many benefits for a company to have such programs and can potentially save them huge amounts of money, as well as protect their reputation, in the long-term.  

Bounty hunters can make a lot of money for finding vulnerabilities, and the activity provides an opportunity for hackers to use their skills far more ethically.