A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and

vulnerabilities Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...

. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse and data breaches. Bug bounty programs have been implemented by a large number of organizations, including

Mozilla Mozilla (stylized as moz://a) is a free software community founded in 1998 by members of Netscape. The Mozilla community uses, develops, spreads and supports Mozilla products, thereby promoting exclusively free software and open standards, w ...

Facebook Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin Mosk ...

Yahoo! Yahoo! (, styled yahoo''!'' in its logo) is an American web services provider. It is headquartered in Sunnyvale, California and operated by the namesake company Yahoo Inc., which is 90% owned by investment funds managed by Apollo Global Manage ...

Google Google LLC () is an American Multinational corporation, multinational technology company focusing on Search Engine, search engine technology, online advertising, cloud computing, software, computer software, quantum computing, e-commerce, ar ...

Reddit Reddit (; stylized in all lowercase as reddit) is an American social news aggregation, content rating, and discussion website. Registered users (commonly referred to as "Redditors") submit content to the site such as links, text posts, imag ...

Square In Euclidean geometry, a square is a regular quadrilateral, which means that it has four equal sides and four equal angles (90- degree angles, π/2 radian angles, or right angles). It can also be defined as a rectangle with two equal-length a ...

Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washin ...

, and the Internet bug bounty. Companies outside the technology industry, including traditionally conservative organizations like the

United States Department of Defense The United States Department of Defense (DoD, USDOD or DOD) is an executive branch department of the federal government charged with coordinating and supervising all agencies and functions of the government directly related to national sec ...

, have started using bug bounty programs. The Pentagon's use of bug bounty programs is part of a posture shift that has seen several US Government Agencies reverse course from threatening

white hat White hat, white hats, or white-hat may refer to: Art, entertainment, and media * White hat, a way of thinking in Edward de Bono's book ''Six Thinking Hats'' * White hat, part of black and white hat symbolism in film Other uses * White hat (compu ...

hackers with legal recourse to inviting them to participate as part of a comprehensive vulnerability disclosure framework or policy.

History

Hunter and Ready initiated the first known bug bounty program in 1983 for their

Versatile Real-Time Executive Versatile Real-Time Executive (VRTX) is a real-time operating system (RTOS) developed and marketed by the company Mentor Graphics. VRTX is suitable for both traditional board-based embedded systems and system on a chip (SoC) architectures. It ha ...

operating system. Anyone who found and reported a bug would receive a Volkswagen Beetle ( Bug) in return. A little over a decade later in 1995, Jarrett Ridlinghafer, a technical support engineer at

Netscape Communications Corporation Netscape Communications Corporation (originally Mosaic Communications Corporation) was an American independent computer services company with headquarters in Mountain View, California and then Dulles, Virginia. Its Netscape web browser was onc ...

coined the phrase 'Bug Bounty'. Netscape encouraged its employees to push themselves and do whatever it takes to get the job done. Ridlinghafer recognized that Netscape had many product enthusiasts and evangelists, some of which could even be considered fanatical about Netscape's browsers. He started to investigate the phenomenon in more detail and discovered that many of Netscape's enthusiasts were actually software engineers who were fixing the product's bugs on their own and publishing the fixes or workarounds, either in online news forums that had been set up by Netscape's technical support department, or on the unofficial "Netscape U-FAQ" website, which listed all known bugs and features of the browser, as well as instructions regarding workarounds and fixes. Ridlinghafer thought the company should leverage these resources and proposed the 'Netscape Bugs Bounty Program', which he presented to his manager, who in turn suggested that Ridlinghafer present it at the next company executive team meeting. At the next executive team meeting, which was attended by

James Barksdale James Love Barksdale (born January 24, 1943) is an American executive who served as the president and CEO of Netscape from January 1995 until the company merged with AOL in March 1999. Early life James Barksdale was born in Jackson, Mississippi. ...

, Marc Andreessen and the VPs of every department including product engineering, each member was given a copy of the 'Netscape Bugs Bounty Program' proposal and Ridlinghafer was invited to present his idea to the Netscape Executive Team. Everyone at the meeting embraced the idea except the VP of Engineering, who did not want it to go forward believing it to be a waste of time and resources. However, the VP of Engineering was overruled and Ridlinghafer was given an initial $50k budget to run with the proposal. On October 10 1995, Netscape launched the first technology bug bounty program for the Netscape Navigator 2.0 Beta browser.

Vulnerability Disclosure Policy controversy

In August 2013, a

Palestinian Palestinians ( ar, الفلسطينيون, ; he, פָלַסְטִינִים, ) or Palestinian people ( ar, الشعب الفلسطيني, label=none, ), also referred to as Palestinian Arabs ( ar, الفلسطينيين العرب, label=non ...

computer science student reported a vulnerability that allowed anyone to post a video on an arbitrary Facebook account. According to the email communication between the student and Facebook, he attempted to report the vulnerability using Facebook's bug bounty program but the student was misunderstood by Facebook's engineers. Later he exploited the vulnerability using the Facebook profile of Mark Zuckerberg, resulting into Facebook refusing to pay him a bounty. Facebook t-shirt with whitehat debit card for Hackers

Facebook t-shirt with whitehat debit card for Hackers

started paying researchers who find and report security bugs by issuing them custom branded "White Hat" debit cards that can be reloaded with funds each time the researchers discover new flaws. "Researchers who find bugs and security improvements are rare, and we value them and have to find ways to reward them," Ryan McGeehan, former manager of Facebook's security response team, told CNET in an interview. "Having this exclusive black card is another way to recognize them. They can show up at a conference and show this card and say 'I did special work for Facebook.'" In 2014, Facebook stopped issuing debit cards to researchers. In 2016,

Uber Uber Technologies, Inc. (Uber), based in San Francisco, provides mobility as a service, ride-hailing (allowing users to book a car and driver to transport them in a way similar to a taxi), food delivery (Uber Eats and Postmates), packa ...

experienced a security incident when an individual accessed the personal information of 57 million Uber users worldwide. The individual supposedly demanded a ransom of $100,000 in order to destroy rather than publish the data. In Congressional testimony, Uber CISO indicated that the company verified that the data had been destroyed before paying the $100,000. Mr. Flynn expressed regret that Uber did not disclose the incident in 2016. As part of their response to this incident, Uber worked with partner HackerOne to update their bug bounty program policies to, among other things, more thoroughly explain good faith vulnerability research and disclosure.

was severely criticized for sending out Yahoo! T-shirts as reward to the Security Researchers for finding and reporting security vulnerabilities in Yahoo!, sparking what came to be called ''T-shirt-gate''.

High-Tech Bridge ImmuniWeb is a global application security company headquartered in Geneva, Switzerland. ImmuniWeb develops Machine Learning and AI technologies for SaaS-based application security solutions provided via its proprietary ImmuniWeb AI Platform. Ear ...

, a Geneva, Switzerland-based security testing company issued a press release saying Yahoo! offered $12.50 in credit per vulnerability, which could be used toward Yahoo-branded items such as T-shirts, cups and pens from its store. Ramses Martinez, director of Yahoo's security team claimed later in a blog post that he was behind the voucher reward program, and that he basically had been paying for them out of his own pocket. Eventually, Yahoo! launched its new bug bounty program on October 31 of the same year, that allows security researchers to submit bugs and receive rewards between $250 and $15,000, depending on the severity of the bug discovered. Similarly, when Ecava released the first known bug bounty program for ICS in 2013, they were criticized for offering store credits instead of cash which does not incentivize security researchers. Ecava explained that the program was intended to be initially restrictive and focused on the human safety perspective for the users of

IntegraXor SCADA IntegraXor is a supervisory control and data acquisition (SCADA) and human-machine interface (HMI) software system developed by Ecava and first released in 2003. Function As a commercial web SCADA system, it is used by engineers as a tool to ...

, their ICS software.

Geography

Though submissions for bug bounties come from many countries, a handful of countries tend to submit more bugs and receive more bounties. The

United States The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territori ...

and

India India, officially the Republic of India (Hindi: ), is a country in South Asia. It is the seventh-largest country by area, the second-most populous country, and the most populous democracy in the world. Bounded by the Indian Ocean on the so ...

are the top countries from which researchers submit bugs. India, which has either the first or second largest number of bug hunters in the world, depending on which report one cites, topped the Facebook Bug Bounty Program with the largest number of valid bugs. "India came out on top with the number of valid submissions in 2017, with the United States and

Trinidad and Tobago Trinidad and Tobago (, ), officially the Republic of Trinidad and Tobago, is the southernmost island country in the Caribbean. Consisting of the main islands Trinidad and Tobago, and numerous much smaller islands, it is situated south of ...

in second and third place, respectively", Facebook quoted in a post.

Notable programs

In October 2013,

announced a major change to its Vulnerability Reward Program. Previously, it had been a bug bounty program covering many Google products. With the shift, however, the program was broadened to include a selection of high-risk

free software Free software or libre software is computer software distributed under terms that allow users to run the software for any purpose as well as to study, change, and distribute it and any adapted versions. Free software is a matter of liberty, no ...

applications and

libraries A library is a collection of Document, materials, books or media that are accessible for use and not just for display purposes. A library provides physical (hard copies) or electronic media, digital access (soft copies) materials, and may be a ...

, primarily those designed for networking or for low-level

operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also i ...

functionality. Submissions that Google found adherent to the guidelines would be eligible for rewards ranging from $500 to $3,133.70. In 2017, Google expanded their program to cover vulnerabilities found in applications developed by third parties and made available through the Google Play Store. Google's Vulnerability Rewards Program now includes vulnerabilities found in Google, Google Cloud, Android, and Chrome products, and rewards up to $31,337.

and

partnered in November 2013 to sponsor The Internet Bug Bounty, a program to offer rewards for reporting hacks and exploits for a broad range of Internet-related software. In 2017,

GitHub GitHub, Inc. () is an Internet hosting service for software development and version control using Git. It provides the distributed version control of Git plus access control, bug tracking, software feature requests, task management, continu ...

and The

Ford Foundation The Ford Foundation is an American private foundation with the stated goal of advancing human welfare. Created in 1936 by Edsel Ford and his father Henry Ford, it was originally funded by a US$25,000 gift from Edsel Ford. By 1947, after the death ...

sponsored the initiative, which is managed by volunteers including from Uber, Microsoft, Adobe, HackerOne, GitHub, NCC Group, and Signal Sciences. The software covered by the IBB includes

Adobe Flash Adobe Flash (formerly Macromedia Flash and FutureSplash) is a multimedia software platform used for production of animations, rich web applications, desktop applications, mobile apps, mobile games, and embedded web browser video players. Fla ...

Python Python may refer to: Snakes * Pythonidae, a family of nonvenomous snakes found in Africa, Asia, and Australia ** ''Python'' (genus), a genus of Pythonidae found in Africa and Asia * Python (mythology), a mythical serpent Computing * Python (pro ...

Ruby A ruby is a pinkish red to blood-red colored gemstone, a variety of the mineral corundum ( aluminium oxide). Ruby is one of the most popular traditional jewelry gems and is very durable. Other varieties of gem-quality corundum are called ...

PHP PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995. The PHP reference implementation is now produced by The PHP Group. ...

, Django,

Ruby on Rails Ruby on Rails (simplified as Rails) is a server-side web application framework written in Ruby under the MIT License. Rails is a model–view–controller (MVC) framework, providing default structures for a database, a web service, and we ...

Perl Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages. "Perl" refers to Perl 5, but from 2000 to 2019 it also referred to its redesigned "sister language", Perl 6, before the latter's name was offic ...

, OpenSSL,

Nginx Nginx (pronounced "engine x" ) is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and publicly released in 2004. Nginx is free and open-source software ...

, Apache HTTP Server, and

Phabricator Phabricator is a suite of web-based development collaboration tools, which includes ''Differential'' code review tool, ''Diffusion'' repository browser, ''Herald'' change monitoring tool, ''Maniphest'' bug tracker, ''Phriction'' wiki. Phab ...

. In addition, the program offered rewards for broader exploits affecting widely used operating systems and

web browser A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used o ...

s, as well as the Internet as a whole. In March 2016,

Peter Cook Peter Edward Cook (17 November 1937 – 9 January 1995) was an English actor, comedian, satirist, playwright and screenwriter. He was the leading figure of the British satire boom of the 1960s, and he was associated with the anti-establishme ...

announced the US federal government's first bug bounty program, the "Hack the Pentagon" program. The program ran from April 18 to May 12 and over 1,400 people submitted 138 unique valid reports through

HackerOne HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers. It was one of the first companies, along with Synack and Bugcrowd, to embrace and utilize crowd-sou ...

. In total, the US

Department of Defense Department of Defence or Department of Defense may refer to: Current departments of defence * Department of Defence (Australia) * Department of National Defence (Canada) * Department of Defence (Ireland) * Department of National Defense (Philipp ...

paid out $71,200. In 2019, The

European Commission The European Commission (EC) is the executive of the European Union (EU). It operates as a cabinet government, with 27 members of the Commission (informally known as "Commissioners") headed by a President. It includes an administrative body ...

announced the EU-FOSSA 2 bug bounty initiative for popular open source projects, including Drupal,

Apache Tomcat Apache Tomcat (called "Tomcat" for short) is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies. It provides a "pure Java" HTTP web server environment in which Java code can also ...

, VLC,

7-zip 7-Zip is a free and open-source file archiver, a utility used to place groups of files within compressed containers known as "archives". It is developed by Igor Pavlov and was first released in 1999. 7-Zip has its own archive format called 7z, ...

and

KeePass KeePass Password Safe is a free and open-source password manager primarily for Windows. It officially supports macOS and Linux operating systems through the use of Mono. Additionally, there are several unofficial ports for Windows Phone, Andro ...

. The project was co-facilitated by European bug bounty platform Intigriti and HackerOne and resulted in a total of 195 unique and valid vulnerabilities. ''

Open Bug Bounty Open Bug Bounty is a non-profit bug bounty platform established in 2014. The coordinated vulnerability disclosure platform allows independent security researchers to report XSS and similar security vulnerabilities on any website they discover usin ...

'' is a crowd security bug bounty program established in 2014 that allows individuals to post website and web application security vulnerabilities in the hope of a reward from affected website operators.
Center for Analysis and Investigation of Cyber Attacks (TSARKA)
a cybersecurity company of Kazakhstan, on December 8th, 2021, launched a National vulnerability reward program calle
BugBounty.kz
Among the private companies, governmental information systems and information resources have joined the program. Since the launch and up until October 28th, 2021, 1039 vulnerability reports were submitted. During the operation of the program several critical vulnerabilities were reported that could have led to the personal data leak from the critical infrastructure and possible manipulation of SCADA systems responsible for the city life support.

References

{{Reflist, 30em, refs = {{cite web , first=Eduard , last=Kovacs , url=http://www.securityweek.com/mozilla-revamps-bug-bounty-program , title=Mozilla Revamps Bug Bounty Program , publisher=SecurityWeek , date=2017-05-12 , access-date=2017-08-03 {{cite web , first=Steven , last=Zimmerman , url=https://www.xda-developers.com/microsoft-windows-bug-bounty/ , title=Microsoft Announces Windows Bug Bounty Program and Extension of Hyper-V Bounty Program , publisher=

XDA Developers XDA Developers (also known simply as XDA; often stylized as xda-developers) is a mobile software development community launched on 20 December 2002. Although discussion primarily revolves around Android, members also talk about many other opera ...

, date=2017-07-26 , access-date=2017-08-03 {{cite web , first=Alaa , last=Abdulridha , url=https://infosecwriteups.com/how-i-hacked-facebook-part-two-ffab96d57b19 , title=How I hacked Facebook: Part Two , publisher= infosecwriteups , date=2021-03-18 , access-date=2021-03-18 Internet security Cyberwarfare Competitions Hacking (computer security)

History

Vulnerability Disclosure Policy controversy

Geography

Notable programs

See also

References