Can you believe it? There are big bucks rewards for catching, capturing, and turning in villains we’ve come to know as software bugs and vulnerabilities.
Yes, that’s right, Big Bucks, according to Margaret Rouse who writes for Whatis.com, Tech Target’s IT encyclopedia and learning center.
Get a load of this. According to Rouse, Mozilla paid out a $3,000 flat rate bounty for bugs that fit its criteria, while Facebook has given out as much as $20,000 for a single bug report. Google paid Chrome operating system bug reporters a combined $700,000 in 2012 and listen to this, she writes that Microsoft paid UK researcher James Forshaw $100,000 for an attack vulnerability in Windows 8.1. In 2016, Apple announced rewards that max out at $200,000 for a flaw in the iOS secure boot firmware components and up to $50,000 for execution of arbitrary code with kernel privileges or unauthorized iCloud access.
This rewards program is also called a vulnerability rewards program and Rouse explains that it is a crowdsourcing initiative that rewards individuals for discovering and reporting software bugs. Bug bounty programs are often initiated to supplement internal code audits and penetration tests as part of an organization’s vulnerability management strategy.
Rouse said in her article that many software vendors and websites run bug bounty programs, paying out cash rewards to software security researchers and white hat hackers who report software vulnerabilities that have the potential to be exploited.
Further, she said, bug reports must document enough information for the organization offering the bounty to be able to reproduce the vulnerability. Typically, payment amounts are commensurate with the size of the organization, the difficulty in hacking the system and how much impact on users a bug might have.
But hold on a minute. Sean Martin writing in SearchSecurity, another techtarget.com site, advises that data shows that more companies are moving away from crowdsourcing and adopting invitation-only awards programs.
Martin reports that some companies have given invitation-only bug bounties the nod, leading to a higher percentage of quality submissions than vulnerabilities identified in public crowdsourcing programs. Other enterprises, especially those in the technology field, are ramping up their bug bounty programs and offering community researchers a clear path for reporting vulnerabilities and potential fixes.
However, not all is perfect with the invitation only program. One researcher quite aptly explained why. “Every bug found is important. It’s easy as a researcher to get frustrated with the developers when you find a no-brainer bug – they should know better.” Martin then follows up on that statement by reporting that some companies are paying (sometimes big money) to find a bug that should not be left for a big bounty researcher to find.
Another researcher closed out Martin’s article noting, “spending time finding a no-brainer bug can be viewed as a waste of time.”