The bug bounty programmes have given a lot to talk about in the different companies that we find today. Some do not give importance to vulnerabilities or errors that their own assets may contain, but what they do not know is that the later they are found and corrected, the worse the problem will be.
After reading this article, you will be able to gain more knowledge about bug bounty, its main concept, legal terms and even why it is so important to introduce a bug bounty programme in a company.
What is bug bounty?
The bug bounty is a reward, financial or otherwise, for researchers who discover and report vulnerabilities in the company’s digital assets.
The bug bounty programmes are platforms that intercede between companies and security researchers in order to find security problems, whose company rewards those who discover and report these application software bugs.
Hoy día nos encontramos empresas como Google, que constan de su propia página web en el que permite que cualquier persona le informe de estos fallos. Por otro lado, también existen programas especializados en recopilar todas estas vulnerabilidades de bug bounty de la empresa, como Epic Bounties.
The purpose of having a bug bounty programme in the company is for experts to detect these bugs before they “go public” in order to prevent security problems.
History of the bug bounty
If we take a step back in time, we can see a little of how the history of bug bounty programmes has unfolded.
1983 - Hunter & Ready launched the first programme for its Versatile Real - Time Executive operating system. The reward offered for anyone who found and reported a bug was a Volkswagen Beetle.
1995 - Netscape, the first monetary cash reward was for launching its first bug bounty programme in order to find vulnerabilities and bugs in its Netscape Navigator 2.0 Beta.
2002 - IDefense acted as an intermediary between the variety of software providers and the researcher, offering researchers rewards of up to $400.
2004 - The Mozilla Foundation also offered rewards of up to $500 in its launch of the bug bounty programme for the researcher who found vulnerabilities in its digital assets.
2005 - Zero Day Initiative (ZDI) was launched by TippingPoint as an “intermediary” programme.
2007 - The PWN2OWN contest, created by researcher Dragos Ruiu, was announced in order to search for security bugs in MACS OSX due to the lack of response from Apple Inc.
2010 - Google initiated bug bounties on web applications.
2011 - Facebook launched its “Whitehat” bug bounty programme offering $500 minimum.
2013 - Microsoft and Facebook teamed up to sponsor Internet Bug Bounty to find vulnerabilities in frameworks.
Today - The large market currently has a wide variety of ongoing bug bounty programmes in its web applications.
The wide variety of companies in the world today run their own bug bounty programmes, which we will mention in the following section.
Is it important to have a bug bounty programme in the company?
The aim of companies is to be able to reduce risks, improve safety processes and thus minimise complications in the organisational environment. In order to do so, they must have clear information about the risks they want to correct and eliminate.
Launching a bug bounty programme in the company will help to carry out continuous security reviews and ensure minimal risks to digital assets.
Companies with their own Bug Bounty programme
Having said that, there are today companies that have launched their own bug bounty programmes. These companies are organisations with a high level of maturity that need constant review and security audits of their infrastructures:
Legality in a bug bounty programme
Due to the existence of public vulnerability reporting, there are security researchers who report such bugs to the company in question. This can have legal consequences for the researcher - it is therefore important to take into account intermediaries such as bug bounty programmes.
Legal aspects of bug bounty
With the evolution of technology, it has gradually come to light that network security risks in companies are on the rise.
The integration of security researchers has proven to be a very profitable action for such companies. This has led to the creation of laws such as “Department of Homeland Security Cyber Hunting and Incident Response Teams Act of 2019”.
With the creation of this law, the key points that it carries out are the introduction of assistance for the restoration of services after a cyber incident, the identification of possible intrusions, the development of strategies to prevent and therefore protect the company’s digital assets, and finally to provide recommendations to the owners to improve the security of their company’s network.
Contributing to greater cyber awareness
Bug bounty programmes have proven to be a great solution for well-established companies, organised to find vulnerabilities and bugs in the company’s software and ending with a reasonable reward for the researcher who found and reported the vulnerability.