With how complex software is, it’s challenging to ensure that there are no bugs. This is simply the way of things that are human-designed and highly complex. To minimize the issue, software development companies include code reviews in their software development life cycle. But even careful expert review can’t catch everything. The very real-time and budgetary limitations exacerbate this. Because of this, bugs make their way to production systems. Some bugs have little or no effect, but others can introduce nasty security vulnerabilities.
A security vulnerability is a class of bugs that affects the system’s security in some way. There is a broad range of possible results, but in the end, all security vulnerabilities are bad for everyone. Unfortunately, finding bugs can be difficult and time-consuming. While developers can only spend a limited amount of time testing for bugs, another group combined spends much more time using the application—the users.
Users of a system, combined, spend a huge amount more time on a system than the developers of that system ever could. They also use a much wider variety of devices. Combined, this makes the perfect environment for finding bugs—many eyes and edge cases.
Putting the Users to Work
The traditional way to use users to resolve bugs is to have some error reporting function that allows users to report a bug they encounter. The developers can use this information to replicate, identify, and remediate the issue. The problem is that there’s a minimal incentive for the user to report any issues. It’s a process that takes time, has potential privacy implications, and generally doesn’t result in any feedback, even if the problem is fixed.
Security vulnerabilities are even worse. A malicious user could choose to use a vulnerability they find actively. Depending on the issue, it may be possible to gain access to something valuable, either on the black market or through ransom or blackmail. Alternatively, it’s possible to sell knowledge of the vulnerability on the black market. Either way, users are not incentivized to report bugs and are disincentivized to report security vulnerabilities.
Turning the Tables
A bug bounty system is a way to turn the tables to encourage reporting security issues actively. The method is simple, rewarding them. The standard method is to pay a monetary bounty and to provide public acknowledgment of the contribution. This directly rewards users for reporting a security vulnerability and encourages them to do the right thing.
Bug bounty systems are typically open to anyone. Any user that identifies a security vulnerability can report it and get paid. There are some caveats, though. To be paid, you generally have to be the first person to report an issue, though there are sometimes rare exceptions in exceptional circumstances. You also have to follow the rules.
The rules of a bug bounty system provide blanket protection from legal action if you stay within them. They’re often detailed but relatively straightforward. Don’t access other people’s data, don’t use vulnerabilities maliciously, and disclose them privately and responsibly. There may also be some things that are considered off-limits.
What Are the Rewards Like?
Realistically, the rewards are based on goodwill. There is also an element of “if this caused a data breach, we’d have to pay a much bigger fine.” Generally, the company pays what is a relatively low amount for it. This can, however, be quite a lot for the reporter. Some bugs may be paid for less than a hundred dollars. In extreme cases, though, some companies have paid a hundred thousand dollars for serious vulnerabilities. Of course, most bounties are much lower than that.
Historically, bug bounties have been much lower and sometimes more of a simple thank you. Sending out a free tee shirt or providing a free lifetime subscription to the service, for example. Big tech companies have boosted the market, though, as has the arrival of bug bounty platforms. Bug bounty platforms are websites that host the bug bounty programs of many clients. They group everything into one place. This makes it much easier for a smaller organization to run a bug bounty system. One of the ways it does this is simply by standardizing the process.
Of course, the reward in a bug bounty is much less than could be achieved by selling the bug on the black market. The concept does trust that, generally, most people want to do the right thing. Or at least they don’t want the risk of breaking the law returning to haunt them.
Conclusion
A bug bounty is a system of paying a reward for finding and responsibly disclosing a security vulnerability. It actively encourages users to test and improve the security of products. It brings many new eyes to the testing process, all at minimal cost to the company. Of course, as someone taking part in a bug bounty system, it’s essential to be careful and to understand the rules.
Hacking is illegal; the bug bounty program permits testing some things but typically includes limitations. If you don’t follow the rules, you may be criminally liable. If you follow the rules, find, and report a bug, you might get a nice payout and increase security for yourself and other users.
