This article is first part of a 4 series of articles that will analyze the present and the future of Bug Bounty Programs. It’s a point of view regarding improvement of online security for companies that run or want to run Bug Bounty Programs.
It all started a long time ago. We don’t know who coined the term, but Google made it well-known when they launch their Bug Bounty Program in order to get more secure. Google were inspired by Mozilla’s Bug Bounty Program.
After that, big companies like Facebook, PayPal, Yandex, Mozilla, Etsy, Barracuda and others, realised how important Bug Bounty Programs are for their products and started implementing them as well.
The advantages for both sides, companies that run BBPs and security professionals are clear. Companies patch their flaws/vulnerabilities, while security specialists get paid for it.
And so Bug Bounty Programs became a trend in the InfoSec industry. Moreover, BBPs resolve security issues and bring fame to security specialists. The programs are also a powerful tool for marketing in the InfoSec industry. The most recent one is Mega’s BBP, which just launched on February 1st 2013 by Kim Dotcom
#Mega‘s open source encryption remains unbroken! We’ll offer 10,000 EURO to anyone who can break it. Expect a blog post today.
— Kim Dotcom (@KimDotcom) February 1, 2013
with the prize of 10.000 Euro.
We have put together a list of the most notable Bug Bounty Programs that run for money. If you think we missed a company that runs a Bug Bounty Program for cash, just let us know, and I will be added to the list.
- Google – Chrome
- Google Application Security
- White Fir Design
We don’t believe you should do it for free and that’s why we won’t mention those companies that run BBPs without paying cash. The following post shows you why you shouldn’t be doing it for free better: No More Free Bugs.
You can watch this nice video presentation about BBPs given by world wide recognized InfoSec guys.
Bug Bounty Programs advantages:
- Looking at Google, Facebook, Mozilla etc, it has been proven that using the power of the crowd to find and patch vulnerabilities is a fast, good way to secure your server/web application.
- Helps you better manage your security budget by paying only valid vulnerabilities and not by hour.
- Bug Bounty Programs represent a very good marketing tool for companies that run such programs as well for the bug hunters.
- Participating in such programs as a security professional, you’ll get continuous security training and it will strengthen your personal branding within the InfoSec industry.
BBPs doesn’t come cheap and you need some good reliable infrastructure (specialized personnel included) in order to run such contests on your own as a company. Seeing an opportunity on BBPs some entrepreneurs started to offer “Bug Bounty Program as a Service” and make BBP more affordable to companies that need security assessment.
About Bug Bounty Program as a Service we’ll talk in the next article. Any questions we would gladly answer.
Stay secure while having fun.
Follow Us on Twitter for more updates