Getting Paid for Breaking Things: The Fundamentals of Bug Bounty

David Balaban
June 22, 2018 by
David Balaban

According to the latest Software Fail Watch report released by Tricentis, companies all over the world lost $1,7 trillion last year over software failures and vulnerabilities. Such tremendous losses incentivize businesses to increase spending on software testing. Companies are expanding their staff with professional testers and invest significant amounts of money in automated testing systems.

There is one more initiative that organizations spare no expenses in funding – bug bounty programs. Major high-tech corporations, including Google, Facebook and Apple, and even governments pay white hat hackers for discovering vulnerabilities in their software. Let's have an insight into the history and evolution of this phenomenon.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The history of bug bounty programs

The practice of spotting loopholes in security systems had appeared long before the first software was developed. In the 19th century, a British manufacturer of door locks offered 200 golden guineas, which would be currently worth about $20,000, for breaching one of their products. American inventor Alfred Charles Hobbs then took up the challenge and managed to pick the lock within 25 minutes, getting the award as promised.

More than a century later, companies' security concerns have shifted to the digital domain. Software vulnerabilities that can be exploited by perpetrators have become an issue at least as serious as insecure door locks. It is believed that the first initiative in IT where enthusiasts were offered a reward for finding vulnerabilities was an ad by Hunter & Ready. The company was developing a real-time operating system called VRTX and promised a brand-new Volkswagen Beetle to anyone who would find a bug in it. The winners, though, could optionally take the cash amounting to $1,000.

A number of high-profile hacker attacks had taken place by mid-90s, and the modern IT security industry came into existence. Back in the day, the first web browsers were gaining momentum, with the competition in this niche going on between products by Netscape and Microsoft. 1995 shaped up to be particularly fruitful for the former. Capitalizing on its leading market position, the company made a successful IPO (Initial Public Offering). At that point, Netscape's technical support engineer Jarrett Ridlinghafer discovered that a lot of enthusiasts were finding bugs in the browser on their own and posted the appropriate fixes online. This encouraged Jarrett to offer the management to incentivize this type of activity by paying for it.

Consequently, Netscape launched the first bug bounty program on October 10, 1995. They would reward the users of Netscape Navigator 2.0 beta who found vulnerabilities in it and let the company know about them. According to some reports, Ridlinghafer's team got an initial budget of $50,000 allocated to this initiative. The participants could opt for money or goods from the Netscape store.

After this move by Netscape, the first company that followed suit was iDefense. In 2002, this threat intelligence company launched their own vulnerability contributor program. The payouts varied depending on the type of vulnerability spotted, the amount of information provided on it, and users' consent to refrain from disclosing details about the bug in the future. Those interested could make up to $500 per reported bug.

The Mozilla community, which was founded by members of Netscape, also came up with a bug bounty program for the Firefox browser in 2004. It was funded by Mark Shuttleworth, a well-known entrepreneur, and the Linspire software development company. Similarly to the iDefense case, the program participants could earn up to $500 for finding a critical vulnerability. This bug bounty is still underway, but the maximum rewards have increased ten times ever since. The company has paid participants about $3 million for 14 years.

Another program called Zero Day Initiative (ZDI) splashed onto the IT security scene in 2005 and is still up and running. Its mission is to become an intermediary between the community of white hat hackers and companies that need to spot bugs in their software. Two years later, ZDI sponsored a Pwn2Own contest where white hats could try to exploit two MacBook Pro laptops running OS X, a platform considered more secure than competing operating systems. ZDI reps agreed to purchase all discovered Mac OS X vulnerabilities for a flat price of $10,000.

By the way, Apple didn't have a bug bounty program of their own back then. The company rejected such a tactic for nearly ten years. It wasn't until 2016 that Apple joined the growing bug bounty rush, becoming one of the last large technological companies offering bounties for vulnerability submissions. However, their payouts were some of the highest across the board, reaching as much as $200,000.

The current state of bug bounty

Other large tech companies started launching their initiatives of incentivizing white hat hackers in early 2010s. From 2010 to 2017, Google spent $3 million in payouts to their bug bounty participants. The bulk of this amount was paid for exploits discovered in Chrome and Android. Facebook paid $5 million during 2011-2016. Microsoft, Sony, GitHub, Uber and many others run similar campaigns, too. Furthermore, this list continues to expand. For instance, the Valve Corporation announced that it would pay for security flaws spotted in their code.

According to the HackerOne vulnerability coordination platform, white hat hackers earn nearly twice as much as software developers do these days. However, bug hunting is nothing but a hobby for many of these enthusiasts. 12% of them make $20,000 a year, and 3% earn more than $100,000. They have a vast choice of bounties from multiple different organizations, ranging from the Apple mentioned above and Microsoft – all the way to MIT and the Pentagon. Most companies pay real money, but some resort to barter instead. For example, United Airlines provides miles for bug reports.

Vulnerability hunt isn't necessarily performed on a software level only. After a number of vulnerabilities were spotted in Tesla Model S in 2015, Elon Musk's company increased payouts for hardware bug submissions. Microsoft made a similar move after the Meltdown and Spectre CPU flaws were unveiled. The corporation is willing to pay a fortune – compared to competitors – for bugs found, with the amounts reaching $250,000. Intel welcomes and generously rewards researchers' help in discovering flaws, too.

Meanwhile, the abundance and availability of white hat hacker programs have given rise to a phenomenon dubbed "bug bounty as a service." Specially crafted bug bounty platforms, such as Bugcrowd, Cobalt, Synack and the HackerOne above, are at companies' disposal in this regard. These platforms get hackers together and coordinate their efforts to deploy an authorized attack against a website, application or service in exchange for a reward. HackerOne alone has gotten more than $20 million paid in bounties during five years.

Bug bounty – the wins and pitfalls

Bug bounty programs proved to help companies save time and resources when looking for vulnerabilities. Last year, the team behind Slack, a popular corporate messaging service, published a summary of their three-year collaboration with white hats. According to the report, they paid more than $210,000 to researchers who helped make Slack more secure.

There was a fairly demonstrative nuance in this story – a month before the report, one of the security researchers had posted details on a bug he was able to find in the messenger. The company's staff responded to this message in 33 minutes, and it took them only five hours to patch the flaw. The bug bounty participant got $3,000 for this discovery.

The U.S. Department of Defense is one more customer of such platforms. HackerOne has been setting up penetration tests for the Pentagon, with hundreds of vulnerabilities having already been found. According to former Secretary of Defense Ash Carter, DoD would have spent over $1 million if its analysts had looked for those vulnerabilities on their own. That's so much more than the $300,000 paid out to enthusiasts.

However, things aren't as serene as they may appear on the bug bounty arena these days. This industry has seen conflicts over legal issues of white hat hacking. In 2015, Synack's senior security researcher Wesley Weinberg discovered a flaw that allowed him to access a huge amount of information on Instagram, including source code, SSL certificates, and private keys, as well as user-uploaded images. In other words, he could have used this bug to pass himself off as any user or staffer of the service.

Wesley reported this to Facebook, the owner of Instagram, anticipating a reward for his findings. Representatives of the social network, though, stated that he had violated the terms of their bug bounty program by obtaining access to the personal data of employees and users.

As a result, Weinberg was disqualified from the program. His boss Jay Kaplan, the CEO at Synack, reportedly got a phone call from Facebook's chief information security officer Alex Stamos who said the case would go to the police if the details on the vulnerability hit the headlines.

This incident brings up the issues of balance, ethics, and control of white hat hackers' activity. On the one hand, companies seek to solve their security problems. On the other, it's important for them to keep sensitive data from their users and employees intact, preventing security researchers from going too far with their analysis. The U.S. Senate has recently passed a bill that will allow the Department of Homeland Security to establish their own bug bounty program. Perhaps this will contribute to a legal framing of the entire industry.

Moving to the future

In 2017, 94% of major public companies from the Forbes 2000 list had no channels for obtaining vulnerability reports. In the meantime, the companies that have bug bounty programs are regularly increasing their payouts to researchers. Some platforms are raising funds from investors. This means that this market is expanding, and it has the potential to grow further.

There are also prerequisites for automating researchers' work. Gartner predicts that 10% of penetration tests will be performed with machine learning algorithms by 2020, versus 0% in 2016. Growing investments in automated bug hunting systems confirm this trend. Last year, Microsoft presented their Security Risk Detection platform that uses AI (artificial intelligence) to find vulnerabilities and report them to developers. Ubisoft has a similar tool that catches bugs in games.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

These initiatives align with the fact that more and more organizations are integrating AI-based solutions in corporate security systems. This tactic allows for combining the benefits of bug bounty with confidentiality. Less human involvement in the process reduces the probability of data leaks. Therefore, we may witness a redistribution of investments in real-world and virtual bug hunting in the near future.

David Balaban
David Balaban