Community hub
Recent from talks
Contribute something to knowledge base
Content stats: 0 posts, 0 articles, 0 media, 0 notes
Members stats: 0 subscribers, 0 contributors, 0 moderators, 0 supporters
Subscribers
Supporters
Contributors
Moderators
Hub AI
Bug bounty program AI simulator
(@Bug bounty program_simulator)
Hub AI
Bug bounty program AI simulator
(@Bug bounty program_simulator)
Bug bounty program
A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security vulnerabilities. If no financial reward is offered, it is called a vulnerability disclosure program.
These programs, which can be considered a form of crowdsourced penetration testing, grant permission for unaffiliated individuals—called bug bounty hunters, white hats or ethical hackers—to find and report vulnerabilities. If the developers discover and patch bugs before the general public is aware of them, cyberattacks that might have exploited it are no longer possible.
Participants in bug bounty programs come from a variety of countries, and although a primary motivation is monetary reward, there are a variety of other motivations for participating. Hackers could earn much more money for selling undisclosed zero-day vulnerabilities to brokers, spyware companies, or government agencies instead of the software vendor. If they search for vulnerabilities outside the scope of bug bounty programs, they might find themselves facing legal threats under cybercrime laws. The scale of bug bounty programs increased dramatically in the late 2010s.
Some large companies and organizations run and operate their own bug bounty programs, including Microsoft, Facebook, Google, Mozilla, the European Union, and the United States federal government. Other companies offer bug bounties via platforms such as HackerOne.
In 1851, Alfred Charles Hobbs was paid US$20,000 (adjusted for inflation) to pick a lock. In 1983, the Hunter & Ready company posted an advertisement with the tagline "Get a bug if you find a bug", offering to reward hackers who discovered bugs in its VRTX operating system a Volkswagen Beetle car. In 1995, Netscape launched its bug bounty program, for the beta version of its Netscape Navigator 2.0 browser. Later on, other enterprises opened their own bug bounty programs. These were supplemented by crowdsourcing platforms that made it easier for professionals to find bug bounties.
Despite developers' goal of delivering a product that works entirely as intended, virtually all software contains bugs. If a bug creates a security risk, it is called a vulnerability, and if the vendor is unaware of it, it is called a zero-day. Vulnerabilities vary in their potential to be exploited by malicious actors. Some are not usable at all, while others can be used to disrupt the device with a denial of service attack. The most valuable allow the attacker to inject and run their own code, without the user being aware of it. The harms of an attack can be severe.
Organizations seeking to improve security test their systems to see if they can be breached. Many contract with external services that conduct penetration testing, but this is not enough to find all vulnerabilities, motivating some companies to supplement with crowdsourced information. Many companies are skeptical of third-party reports, afraid that these programs will increase malicious activity, cost too much money, or bring fraudulent reports. Alternatively, bug bounty programs might be ignored because of confidence in their application's security or in favor of other security measures. Some studies have found that the cost per vulnerability found is much lower via bounty programs rather than by hiring software engineers to search for vulnerabilities.
The size of the reward offered varies on such factors such as the size of the company, the difficulty of finding the vulnerability, and how severe its effects could be if exploited. Successful bug bounty hunters can often make more than software developers. Many bug bounty programs are focused on web applications.
Bug bounty program
A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security vulnerabilities. If no financial reward is offered, it is called a vulnerability disclosure program.
These programs, which can be considered a form of crowdsourced penetration testing, grant permission for unaffiliated individuals—called bug bounty hunters, white hats or ethical hackers—to find and report vulnerabilities. If the developers discover and patch bugs before the general public is aware of them, cyberattacks that might have exploited it are no longer possible.
Participants in bug bounty programs come from a variety of countries, and although a primary motivation is monetary reward, there are a variety of other motivations for participating. Hackers could earn much more money for selling undisclosed zero-day vulnerabilities to brokers, spyware companies, or government agencies instead of the software vendor. If they search for vulnerabilities outside the scope of bug bounty programs, they might find themselves facing legal threats under cybercrime laws. The scale of bug bounty programs increased dramatically in the late 2010s.
Some large companies and organizations run and operate their own bug bounty programs, including Microsoft, Facebook, Google, Mozilla, the European Union, and the United States federal government. Other companies offer bug bounties via platforms such as HackerOne.
In 1851, Alfred Charles Hobbs was paid US$20,000 (adjusted for inflation) to pick a lock. In 1983, the Hunter & Ready company posted an advertisement with the tagline "Get a bug if you find a bug", offering to reward hackers who discovered bugs in its VRTX operating system a Volkswagen Beetle car. In 1995, Netscape launched its bug bounty program, for the beta version of its Netscape Navigator 2.0 browser. Later on, other enterprises opened their own bug bounty programs. These were supplemented by crowdsourcing platforms that made it easier for professionals to find bug bounties.
Despite developers' goal of delivering a product that works entirely as intended, virtually all software contains bugs. If a bug creates a security risk, it is called a vulnerability, and if the vendor is unaware of it, it is called a zero-day. Vulnerabilities vary in their potential to be exploited by malicious actors. Some are not usable at all, while others can be used to disrupt the device with a denial of service attack. The most valuable allow the attacker to inject and run their own code, without the user being aware of it. The harms of an attack can be severe.
Organizations seeking to improve security test their systems to see if they can be breached. Many contract with external services that conduct penetration testing, but this is not enough to find all vulnerabilities, motivating some companies to supplement with crowdsourced information. Many companies are skeptical of third-party reports, afraid that these programs will increase malicious activity, cost too much money, or bring fraudulent reports. Alternatively, bug bounty programs might be ignored because of confidence in their application's security or in favor of other security measures. Some studies have found that the cost per vulnerability found is much lower via bounty programs rather than by hiring software engineers to search for vulnerabilities.
The size of the reward offered varies on such factors such as the size of the company, the difficulty of finding the vulnerability, and how severe its effects could be if exploited. Successful bug bounty hunters can often make more than software developers. Many bug bounty programs are focused on web applications.