Bug Bounty Exposed

Many of you probably heard of Bug bounties. They are organized by companies that develop software / websites and reward people that report bugs found in their software. This reward can be a simple thanks or recognition, but also a reasonable amount of money.

Why would companies do this?

Of course companies test their software before releasing, but we all know that software is never bug free. Sayings like there are 15-50 bugs per 1000 lines of code are not uncommon. However the companies themselves nor have the time, money and resources to exhaustively test for bugs. Therefore they write out these contests to let the public find and report bugs in exchange for a gratification. This means in practice that thousands of extra experts / enthusiasts will review your software. Since bounties are only paid for actual found bugs, money wise this is often more lucrative for a company then hiring extra personnel, security researchers, consultants etc.

Bug hunters

From the perspective of the bug hunters, people that try to find the bugs, this can be lucrative way to earn money. There are even people that make a living out of it. One nice success story I would like to share is that of a computer engineer from Brazil, in November 2013, he got a bug bounty of $33,500 from Facebook. In his blogpost he explained the bug that he found. There are also cases at Microsoft where they paid a bounty of $100,000, of course this is more the exception than the rule.

Bug Bounty Platforms

Jobert Abma and Michiel Prins, started Hackerone, to fill the gap in the marketplace for offering the service to host bug bounty programs, for a nice article on this subject click hereAnother company who is active in the same market is called BugCrowd both are active platforms and useful to find the right information to get you started.

How to start?

If you want to become bug hunter click here to read a nice forum post. It all boils down to read, read and try try and try some more, but the forum post can keep you on the right track. When you are searching for companies that have an active bug bounty program look at the overview of BugCrowd here and at Hackerone here.

Personally I hope that more and more embedded devices will be included in the bug bounty programs. A nice example is the bug bounty of Samsung with their Smart TVs . Also ARM with ARMmbed has an program for their TLS (Transport Layer Security) library written in C , see here. I found the subject really great to read more about, knowing that security is a trending topic. For now I can only wish you success on your journey as bughunter.

Leave a Reply

Your email address will not be published. Required fields are marked *