What is a bug bounty program?
Such a program is advertised by companies or private or governmental organizations and other institutions and offers rewards for discovering vulnerabilities or bugs in software, applications, or web services. As a rule, cash prizes or non-cash prizes are offered as rewards. Bug bounty programs are part of the security strategy. They enable the awarding organizations to fix the discovered vulnerabilities and bugs before they are exploited for malicious or criminal purposes.
Bug bounty programs are aimed at the computer and IT security professionals such as hackers and programmers, or at scientific actors such as security researchers. The bounties offered are sometimes high. They depend on the type and complexity of the discovered vulnerability and on the importance and size of the awarding organization.
Despite the fact that premiums have to be paid, bug bounty programs offer a very cost-effective and efficient way to improve the stability and security of software and applications. Bug bounty programs are usually designed in such a way that the company or organization must be notified of the bug or vulnerability found and must not publish it directly. This allows the vulnerability to be fixed before it is exploited.
Bug bounty programs can be divided into open and closed programs. In principle, anyone can participate in open programs. To participate in a closed program, an explicit invitation is required.
Areas of application of bug bounty programs
A large number of bug bounty programs exist worldwide. The companies or organizations issuing invitations come from a wide variety of sectors or industries.
They may be software vendors, network operators, cloud providers, web application operators, operating system vendors, companies in the financial industry, or other types of companies and institutions that use the software. For example, Facebook, Microsoft, Apple, Tesla, Airbnb, eBay, LinkedIn, Pinterest, Symantec, Uber, Lufthansa, Intel, and many more use bug bounty programs.
Government or public institutions with bug bounty programs include EU-FOSSA (Project Free and Open Source Software Audit) or the Pentagon.
Advantages of a bug bounty program
The advantages of a bug bounty program can be divided into advantages for the tendering organization, for the program participant, and for the end customer.
Advantages for the tendering organization are:
- Efficient and cost-effective measure for improving software, product, and IT security
- A large number of experts deal with the security of the software
- Errors and vulnerabilities can be eliminated before they are exploited and lead to damage
- High level of customer confidence in the company’s products
Advantages for the participant in the program are:
- Program presents an interesting challenge and can be financially rewarding
- The IT security expert can prove his skills and improve his knowledge and reputation
- Legal possibility and ethically correct form of hacking
- Recognition in the IT security environment
- Benefits for the user of the software
- Stable and secure products and services