A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting
bugs, especially those pertaining to security
exploits and
vulnerabilities
Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally."
A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
.
These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse and data breaches. Bug bounty programs have been implemented by a large number of organizations, including
Mozilla
Mozilla (stylized as moz://a) is a free software community founded in 1998 by members of Netscape. The Mozilla community uses, develops, spreads and supports Mozilla products, thereby promoting exclusively free software and open standards, wi ...
,
Facebook
Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin M ...
,
Yahoo!
Yahoo! (, styled yahoo''!'' in its logo) is an American web services provider. It is headquartered in Sunnyvale, California and operated by the namesake company Yahoo Inc., which is 90% owned by investment funds managed by Apollo Global Man ...
,
Google
Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...
,
Reddit
Reddit (; stylized in all lowercase as reddit) is an American social news aggregation, content rating, and discussion website. Registered users (commonly referred to as "Redditors") submit content to the site such as links, text posts, images ...
,
Square
In Euclidean geometry, a square is a regular quadrilateral, which means that it has four equal sides and four equal angles (90-degree angles, π/2 radian angles, or right angles). It can also be defined as a rectangle with two equal-length adj ...
,
Microsoft
Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
,
and the Internet bug bounty.
Companies outside the technology industry, including traditionally conservative organizations like the
United States Department of Defense
The United States Department of Defense (DoD, USDOD or DOD) is an executive branch department of the federal government charged with coordinating and supervising all agencies and functions of the government directly related to national secu ...
, have started using bug bounty programs. The Pentagon's use of bug bounty programs is part of a posture shift that has seen several US Government Agencies reverse course from threatening
white hat
White hat, white hats, or white-hat may refer to:
Art, entertainment, and media
* White hat, a way of thinking in Edward de Bono's book ''Six Thinking Hats''
* White hat, part of black and white hat symbolism in film
Other uses
* White hat (compu ...
hackers with legal recourse to inviting them to participate as part of a comprehensive vulnerability disclosure framework or policy.
History
Hunter and Ready initiated the first known bug bounty program in 1983 for their
Versatile Real-Time Executive
Versatile Real-Time Executive (VRTX) is a real-time operating system (RTOS) developed and marketed by the company Mentor Graphics. VRTX is suitable for both traditional board-based embedded systems and system on a chip (SoC) architectures. It ha ...
operating system. Anyone who found and reported a bug would receive a Volkswagen Beetle ( Bug) in return.
A little over a decade later in 1995, Jarrett Ridlinghafer, a technical support engineer at
Netscape Communications Corporation
Netscape Communications Corporation (originally Mosaic Communications Corporation) was an American independent computer services company with headquarters in Mountain View, California and then Dulles, Virginia. Its Netscape web browser was onc ...
coined the phrase 'Bug Bounty'.
Netscape encouraged its employees to push themselves and do whatever it takes to get the job done. Ridlinghafer recognized that Netscape had many product enthusiasts and evangelists, some of which could even be considered fanatical about Netscape's browsers. He started to investigate the phenomenon in more detail and discovered that many of Netscape's enthusiasts were actually software engineers who were fixing the product's bugs on their own and publishing the fixes or workarounds, either in online news forums that had been set up by Netscape's technical support department, or on the unofficial "Netscape U-FAQ" website, which listed all known bugs and features of the browser, as well as instructions regarding workarounds and fixes.
Ridlinghafer thought the company should leverage these resources and proposed the 'Netscape Bugs Bounty Program', which he presented to his manager, who in turn suggested that Ridlinghafer present it at the next company executive team meeting. At the next executive team meeting, which was attended by
James Barksdale
James Love Barksdale (born January 24, 1943) is an American executive who served as the president and CEO of Netscape from January 1995 until the company merged with AOL in March 1999.
Early life
James Barksdale was born in Jackson, Mississippi. ...
,
Marc Andreessen
Marc Lowell Andreessen ( ; born July 9, 1971) is an American entrepreneur, investor, and software engineer. He is the co-author of Mosaic, the first widely used web browser; co-founder of Netscape; and co-founder and general partner of Silicon ...
and the VPs of every department including product engineering, each member was given a copy of the 'Netscape Bugs Bounty Program' proposal and Ridlinghafer was invited to present his idea to the Netscape Executive Team. Everyone at the meeting embraced the idea except the VP of Engineering, who did not want it to go forward believing it to be a waste of time and resources. However, the VP of Engineering was overruled and Ridlinghafer was given an initial $50k budget to run with the proposal.
On October 10 1995, Netscape launched the first technology bug bounty program for the Netscape Navigator 2.0 Beta browser.
Vulnerability Disclosure Policy controversy
In August 2013, a
Palestinian
Palestinians ( ar, الفلسطينيون, ; he, פָלַסְטִינִים, ) or Palestinian people ( ar, الشعب الفلسطيني, label=none, ), also referred to as Palestinian Arabs ( ar, الفلسطينيين العرب, label=non ...
computer science student reported a vulnerability that allowed anyone to post a video on an arbitrary Facebook account. According to the email communication between the student and Facebook, he attempted to report the vulnerability using Facebook's bug bounty program but the student was misunderstood by Facebook's engineers. Later he exploited the vulnerability using the Facebook profile of
Mark Zuckerberg
Mark Elliot Zuckerberg (; born ) is an American business magnate, internet entrepreneur, and philanthropist. He is known for co-founding the social media website Facebook and its parent company Meta Platforms (formerly Facebook, Inc.), o ...
, resulting into Facebook refusing to pay him a bounty.
Facebook
Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin M ...
started paying researchers who find and report security bugs by issuing them custom branded "White Hat" debit cards that can be reloaded with funds each time the researchers discover new flaws. "Researchers who find bugs and security improvements are rare, and we value them and have to find ways to reward them," Ryan McGeehan, former manager of Facebook's security response team, told
CNET
''CNET'' (short for "Computer Network") is an American media website that publishes reviews, news, articles, blogs, podcasts, and videos on technology and consumer electronics globally. ''CNET'' originally produced content for radio and televi ...
in an interview. "Having this exclusive black card is another way to recognize them. They can show up at a conference and show this card and say 'I did special work for Facebook.'" In 2014, Facebook stopped issuing debit cards to researchers.
In 2016,
Uber
Uber Technologies, Inc. (Uber), based in San Francisco, provides mobility as a service, ride-hailing (allowing users to book a car and driver to transport them in a way similar to a taxi), food delivery (Uber Eats and Postmates), package ...
experienced a security incident when an individual accessed the personal information of 57 million Uber users worldwide. The individual supposedly demanded a ransom of $100,000 in order to destroy rather than publish the data. In Congressional testimony, Uber CISO indicated that the company verified that the data had been destroyed before paying the $100,000. Mr. Flynn expressed regret that Uber did not disclose the incident in 2016. As part of their response to this incident, Uber worked with partner HackerOne to update their bug bounty program policies to, among other things, more thoroughly explain good faith vulnerability research and disclosure.
Yahoo!
Yahoo! (, styled yahoo''!'' in its logo) is an American web services provider. It is headquartered in Sunnyvale, California and operated by the namesake company Yahoo Inc., which is 90% owned by investment funds managed by Apollo Global Man ...
was severely criticized for sending out Yahoo! T-shirts as reward to the Security Researchers for finding and reporting security vulnerabilities in Yahoo!, sparking what came to be called ''T-shirt-gate''.
High-Tech Bridge
ImmuniWeb is a global application security company headquartered in Geneva, Switzerland. ImmuniWeb develops Machine Learning and AI technologies for SaaS-based application security solutions provided via its proprietary ImmuniWeb AI Platform.
Ear ...
, a Geneva, Switzerland-based security testing company issued a press release saying Yahoo! offered $12.50 in credit per vulnerability, which could be used toward Yahoo-branded items such as T-shirts, cups and pens from its store. Ramses Martinez, director of Yahoo's security team claimed later in a blog post that he was behind the voucher reward program, and that he basically had been paying for them out of his own pocket. Eventually, Yahoo! launched its new bug bounty program on October 31 of the same year, that allows security researchers to submit bugs and receive rewards between $250 and $15,000, depending on the severity of the bug discovered.
Similarly, when Ecava released the first known bug bounty program for
ICS in 2013,
they were criticized for offering store credits instead of cash which does not incentivize security researchers.
Ecava explained that the program was intended to be initially restrictive and focused on the human safety perspective for the users of
IntegraXor SCADA
IntegraXor is a supervisory control and data acquisition (SCADA) and human-machine interface (HMI) software system developed by Ecava and first released in 2003.
Function
As a commercial web SCADA system, it is used by engineers as a tool to ...
, their ICS software.
Geography
Though submissions for bug bounties come from many countries, a handful of countries tend to submit more bugs and receive more bounties. The
United States
The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territorie ...
and
India
India, officially the Republic of India (Hindi: ), is a country in South Asia. It is the seventh-largest country by area, the second-most populous country, and the most populous democracy in the world. Bounded by the Indian Ocean on the so ...
are the top countries from which researchers submit bugs. India, which has either the first or second largest number of bug hunters in the world, depending on which report one cites, topped the Facebook Bug Bounty Program with the largest number of valid bugs. "India came out on top with the number of valid submissions in 2017, with the United States and
Trinidad and Tobago
Trinidad and Tobago (, ), officially the Republic of Trinidad and Tobago, is the southernmost island country in the Caribbean. Consisting of the main islands Trinidad and Tobago, and numerous much smaller islands, it is situated south of ...
in second and third place, respectively", Facebook quoted in a post.
Notable programs
In October 2013,
Google
Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...
announced a major change to its Vulnerability Reward Program. Previously, it had been a bug bounty program covering many Google products. With the shift, however, the program was broadened to include a selection of high-risk
free software
Free software or libre software is computer software distributed under terms that allow users to run the software for any purpose as well as to study, change, and distribute it and any adapted versions. Free software is a matter of liberty, no ...
applications and
libraries
A library is a collection of materials, books or media that are accessible for use and not just for display purposes. A library provides physical (hard copies) or digital access (soft copies) materials, and may be a physical location or a vir ...
, primarily those designed for
networking or for low-level
operating system
An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs.
Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...
functionality. Submissions that Google found adherent to the guidelines would be eligible for rewards ranging from $500 to $3,133.70. In 2017, Google expanded their program to cover vulnerabilities found in applications developed by third parties and made available through the Google Play Store. Google's Vulnerability Rewards Program now includes vulnerabilities found in Google, Google Cloud, Android, and Chrome products, and rewards up to $31,337.
Microsoft
Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
and
Facebook
Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin M ...
partnered in November 2013 to sponsor The Internet Bug Bounty, a program to offer rewards for reporting hacks and exploits for a broad range of Internet-related software. In 2017,
GitHub
GitHub, Inc. () is an Internet hosting service for software development and version control using Git. It provides the distributed version control of Git plus access control, bug tracking, software feature requests, task management, continuous ...
and The
Ford Foundation
The Ford Foundation is an American private foundation with the stated goal of advancing human welfare. Created in 1936 by Edsel Ford and his father Henry Ford, it was originally funded by a US$25,000 gift from Edsel Ford. By 1947, after the death ...
sponsored the initiative, which is managed by volunteers including from Uber, Microsoft,
Adobe, HackerOne, GitHub, NCC Group, and Signal Sciences. The software covered by the IBB includes
Adobe Flash
Adobe Flash (formerly Macromedia Flash and FutureSplash) is a multimedia Computing platform, software platform used for production of Flash animation, animations, rich web applications, application software, desktop applications, mobile apps, mo ...
,
Python
Python may refer to:
Snakes
* Pythonidae, a family of nonvenomous snakes found in Africa, Asia, and Australia
** ''Python'' (genus), a genus of Pythonidae found in Africa and Asia
* Python (mythology), a mythical serpent
Computing
* Python (pro ...
,
Ruby
A ruby is a pinkish red to blood-red colored gemstone, a variety of the mineral corundum ( aluminium oxide). Ruby is one of the most popular traditional jewelry gems and is very durable. Other varieties of gem-quality corundum are called sa ...
,
PHP
PHP is a general-purpose scripting language geared toward web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1993 and released in 1995. The PHP reference implementation is now produced by The PHP Group ...
,
Django,
Ruby on Rails
Ruby on Rails (simplified as Rails) is a server-side web application framework written in Ruby under the MIT License. Rails is a model–view–controller (MVC) framework, providing default structures for a database, a web service, and web p ...
,
Perl
Perl is a family of two high-level, general-purpose, interpreted, dynamic programming languages. "Perl" refers to Perl 5, but from 2000 to 2019 it also referred to its redesigned "sister language", Perl 6, before the latter's name was offici ...
,
OpenSSL
OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTT ...
,
Nginx
Nginx (pronounced "engine x" ) is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and publicly released in 2004. Nginx is free and open-source software ...
,
Apache HTTP Server
The Apache HTTP Server ( ) is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0. Apache is developed and maintained by an open community of developers under the auspices of the Apache So ...
, and
Phabricator
Phabricator is a suite of web-based development collaboration tools, which includes ''Differential'' code review tool, ''Diffusion'' repository browser, ''Herald'' change monitoring tool, ''Maniphest'' bug tracker, ''Phriction'' wiki.
Phab ...
. In addition, the program offered rewards for broader exploits affecting widely used operating systems and
web browser
A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on ...
s, as well as the Internet as a whole.
In March 2016,
Peter Cook
Peter Edward Cook (17 November 1937 – 9 January 1995) was an English actor, comedian, satirist, playwright and screenwriter. He was the leading figure of the British satire boom of the 1960s, and he was associated with the anti-establishme ...
announced the US federal government's first bug bounty program, the "Hack the Pentagon" program. The program ran from April 18 to May 12 and over 1,400 people submitted 138 unique valid reports through
HackerOne
HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers. It was one of the first companies, along with Synack and Bugcrowd, to embrace and utilize crowd-sou ...
. In total, the US
Department of Defense Department of Defence or Department of Defense may refer to:
Current departments of defence
* Department of Defence (Australia)
* Department of National Defence (Canada)
* Department of Defence (Ireland)
* Department of National Defense (Philipp ...
paid out $71,200.
In 2019, The
European Commission
The European Commission (EC) is the executive of the European Union (EU). It operates as a cabinet government, with 27 members of the Commission (informally known as "Commissioners") headed by a President. It includes an administrative body o ...
announced the EU-FOSSA 2 bug bounty initiative for popular
open source
Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized sof ...
projects, including
Drupal
Drupal () is a free and open-source web content management system (CMS) written in PHP and distributed under the GNU General Public License. Drupal provides an open-source back-end framework for at least 14% of the top 10,000 websites worldwide ...
,
Apache Tomcat
Apache Tomcat (called "Tomcat" for short) is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies. It provides a "pure Java" HTTP web server environment in which Java code can also ...
,
VLC,
7-zip
7-Zip is a free and open-source file archiver, a utility used to place groups of files within compressed containers known as "archives". It is developed by Igor Pavlov and was first released in 1999. 7-Zip has its own archive format called 7z, ...
and
KeePass
KeePass Password Safe is a free and open-source password manager primarily for Windows. It officially supports macOS and Linux operating systems through the use of Mono. Additionally, there are several unofficial ports for Windows Phone, Andro ...
. The project was co-facilitated by European bug bounty platform Intigriti and HackerOne and resulted in a total of 195 unique and valid vulnerabilities.
''
Open Bug Bounty
Open Bug Bounty is a non-profit bug bounty platform established in 2014. The coordinated vulnerability disclosure platform allows independent security researchers to report XSS and similar security vulnerabilities on any website they discover usin ...
'' is a crowd security bug bounty program established in 2014 that allows individuals to post website and web application security vulnerabilities in the hope of a reward from affected website operators.
Center for Analysis and Investigation of Cyber Attacks (TSARKA) a cybersecurity company of Kazakhstan, on December 8th, 2021, launched a National vulnerability reward program calle
BugBounty.kz Among the private companies, governmental information systems and information resources have joined the program. Since the launch and up until October 28th, 2021, 1039 vulnerability reports were submitted. During the operation of the program several critical vulnerabilities were reported that could have led to the personal data leak from the critical infrastructure and possible manipulation of SCADA systems responsible for the city life support.
See also
*
Bounty hunter
A bounty hunter is a private agent working for bail bonds who captures fugitives or criminals for a commission or bounty. The occupation, officially known as bail enforcement agent, or fugitive recovery agent, has traditionally operated outsid ...
*
Cyber-arms industry
The cyber-arms industry are the markets and associated events surrounding the sale of software exploits, zero-days, cyberweaponry, surveillance technologies, and related tools for perpetrating cyberattacks. The term may extend to both grey and bl ...
*
Knuth reward check
Knuth reward checks are checks or check-like certificates awarded by computer scientist Donald Knuth for finding technical, typographical, or historical errors, or making substantial suggestions for his publications. The ''MIT Technology Review'' ...
(Program in 1980)
*
List of unsolved problems in computer science
This article is a list of notable unsolved problems in computer science. A problem in computer science is considered unsolved when no solution is known, or when experts in the field disagree about proposed solutions.
Computational complexity
* ...
*
List of unsolved problems in mathematics
Many mathematical problems have been stated but not yet solved. These problems come from many areas of mathematics, such as theoretical physics, computer science, algebra, analysis, combinatorics, algebraic, differential, discrete and Eucli ...
*
Market for zero-day exploits
The market for zero-day exploits is commercial activity related to the trafficking of software exploits.
Software vulnerabilities and " exploits" are used to get remote access to both stored information and information generated in real time. Whe ...
*
Open-source bounty An open-source bounty is a monetary reward for completing a task in an open-source software project.
Description
Bounties are usually offered as an incentive for fixing software bugs or implementing minor features. Bounty driven development is o ...
*
White hat (computer security)
A white hat (or a white-hat hacker, a whitehat) is an ethical security hacker. Ethical hacking is a term meant to imply a broader category than just penetration testing. Under the owner's consent, white-hat hackers aim to identify any vulnerabili ...
*
Zerodium
Zerodium is an American information security company founded in 2015 with operations in Washington, D.C., and Europe
Europe is a large peninsula conventionally considered a continent in its own right because of its great physical size an ...
References
{{Reflist, 30em, refs =
[{{cite web
, first=Eduard
, last=Kovacs
, url=http://www.securityweek.com/mozilla-revamps-bug-bounty-program
, title=Mozilla Revamps Bug Bounty Program
, publisher=SecurityWeek
, date=2017-05-12
, access-date=2017-08-03]
[{{cite web
, first=Steven
, last=Zimmerman
, url=https://www.xda-developers.com/microsoft-windows-bug-bounty/
, title=Microsoft Announces Windows Bug Bounty Program and Extension of Hyper-V Bounty Program
, publisher=]XDA Developers
XDA Developers (also known simply as XDA; often stylized as xda-developers) is a mobile software development community launched on 20 December 2002. Although discussion primarily revolves around Android, members also talk about many other opera ...
, date=2017-07-26
, access-date=2017-08-03
[{{cite web
, first=Alaa
, last=Abdulridha
, url=https://infosecwriteups.com/how-i-hacked-facebook-part-two-ffab96d57b19
, title=How I hacked Facebook: Part Two
, publisher= infosecwriteups
, date=2021-03-18
, access-date=2021-03-18]
Internet security
Cyberwarfare
Competitions
Hacking (computer security)