Skip to main content
Exploring what’s next in tech – Insights, information, and ideas for today’s IT and business leaders

The cash for bugs business is booming. Here's why

People all over the world make money, some a lot, searching for bugs in others' software and reporting it.

A researcher discovering a flaw in a technology product is generally faced with two options: exploit the flaw for personal (and criminal) gain, including selling it to others who will exploit it, or take the high road and tell the creator of the product about the flaw and perhaps collect what's known as a bug bounty.

Bug bounties have been part of the tech landscape since 1995, when Netscape first offered merchandise and cash prizes to users who reported problems with the then-nascent web browser. The concept was just a quirky idea at the time, but the practice took off. Today, hundreds of organizations rely on bug bounties as part of a robust cybersecurity toolkit.

Bug bounties are popular because they work. Erka Koivunen, CISO of Finnish security company F-Secure, says the company has been paying bug bounties since 2014. Last year, it surpassed €100,000 (US$116,000) in lifetime payouts to a diverse group of bug reporters. "There are people from all walks of life," says Koivunen. "Some of them are extremely sure of themselves and some of them are nervous, just entering the profession." So far this year, Koivunen says the company is now approaching €150,000 (US$174,000) in lifetime payouts, having received 67 external and 24 internal vulnerability reports. (Employees are also eligible to collect bounties.)

Like most companies that offer bug bounties, payouts at F-Secure vary based on the severity of the bug reported. In fact, most bugs reported to F-Secure are "quite trivial," says Koivunen, meriting minimal payouts of just €50 (US$58) or €100 (US$116). The big vulnerabilities earn reporters up to €15,000 (US$17,400) plus a spot on F-Secure's Hall of Fame web page. And the bigger the company paying the bounty, the bigger the bounty tends to be. Microsoft recently announced it was raising its highest level bounty payment to $100,000. The company paid a total of $13.7 million over the 12 month period ended June 2020, triple that of the year prior.

Please read: The fundamentals of security incident response—during a pandemic and beyond

That's strategic: It's important to keep raising bounties, says Scott Reed, director of product security at Zendesk, which started in 2014 by giving away free T-shirts before establishing a formal bug bounty program in 2015. Today, its top bounty is $5,000, and the company has paid out more than $175,000 since the program's inception. "If you want people to look for the more complicated and critical issues, you need to keep raising the stakes," he says.

Koivunen is unequivocally enthusiastic in his praise for F-Secure's program and the bug bounty concept. "We're quite satisfied with it," he says. "We often get extremely valuable input into bugs and vulnerabilities that we have been completely unable to spot ourselves."

Bug bounties: The front line of cyberwar

But bug bounties aren't just part of the enterprise. They're also being leveraged on a grand scale at the governmental level.

Sunil James, senior director of security engineering at Hewlett Packard Enterprise, has worked with government and military entities dating back to 2000, paying bounties for vulnerabilities and zero-day exploits in both commercial and open source software. Why would entities like the U.S. Army or National Security Agency pay up to $200,000 for a few lines of code that could crack, say, Internet Explorer? "These few lines of weaponized code are not only reusable but also much cheaper than other conventional weapons we as taxpayers pay for," says James.

As traditional warfare has given way to cyberwarfare, these numbers have only increased, he says. The U.S. government's interest is in protecting critical infrastructure systems: low-level control systems, firmware, SCADA systems—the guts of the Internet and the economy. "We're talking power grids and waste/water management systems," says James. "Organizations making diapers and formula are just as important," he adds, because interrupting their systems could "potentially create societal chaos."

"The U.S. government is a major participant in this market," says James. "It's not even close. We do it better than anybody on the planet."

Please read: What to do when equipment is old, in the way, and yet still functional

And as far as James is concerned, that's a good thing—because cyberwarfare isn't just a theoretical risk but a real threat playing out regularly. Nicole Perlroth's new book, This Is How They Tell Me the World Ends, details, among other things, Russia's 2016 attacks on Ukraine that all but wiped out the country's infrastructure, not only deleting government data but also shutting down ATMs, gas stations, and more. "People were left sitting in the dark in the middle of winter," says James.

How to get started with a bug bounty program

The stakes are equally high for the enterprise. Successful attacks that utilize previously undiscovered vulnerabilities can ruin a company's reputation and easily cost millions of dollars in damages. In the context of risk, paying a few thousand dollars to patch those holes before nefarious attackers get wind of them could easily be a good decision.

Being proactive is critical. "The bad guys are willing to spend just as much," says James. "So now there's a fight to win that IP."

Starting a bug bounty program used to be challenging, but like most things, this can now be outsourced to professionals who can help organizations quickly get up to speed and implement best practices. Perhaps the largest of these is HackerOne, a platform that connects businesses with security researchers and manages hundreds of bug bounty programs, both large and small. The site provides a dashboard of bounties security researchers can scan to find opportunities and track payouts. Synack is another option, providing a more comprehensive, end-to-end vulnerability testing model that includes crowdsourced bug bounties as a key pillar of the service.

"If I were starting out now, we would definitely consider having an external entity help us," says Koivunen. "Negotiating that part of the daily grind should perhaps be offloaded to a pro that knows their stuff." Lengthy negotiations, often hampered by language barriers, are particularly common in this industry.

Please read: Patch Tuesday updates to Windows and Office: What you need to know

Zendesk's Reed agrees a third party is helpful, especially if you're just starting out with a bug bounty program. "With a site like HackerOne," he says, "you get a group of security researchers who are already engaged, so you don't have to promote the program yourself. HackerOne gives you ways to talk to researchers and even set up promotional events." What's critical is these services also handle the logistics of payments and taxes, a huge time saver for any security team.

You'll also need to consider how to budget for and fund a bug bounty program. At F-Secure, the product and service owners foot the bill directly. "This is a great way to bring security issues to the same table as financial decision-making," says Koivunen. "It makes things more concrete on both sides of the equation."

Other common challenges that arise are the inevitable disputes that emerge between the organization and bug reporters, as the severity of a vulnerability may often be subject to debate. "Sometimes we wonder whether a report is even relevant enough to warrant a bug fix," says Koivunen, who adds that some bug reporters have attempted to blackmail his organization when expectations for a big payout didn't materialize.

Nonetheless, Koivunen says he's a huge fan of the program. "I can not only recommend others run a bug bounty program of their own," he says, "but I would even go as far as to argue that it is an act of corporate responsibility to do so. If there is a bug in our security product, it doesn't hurt us—it hurts the end users who depend on our technology to protect their business. We definitely feel the responsibility to get those bugs fixed."

This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.