These hackers are part of bug bounty programs, in which companies like Bitdefender, Barracuda Networks and Kaspersky Lab offer rewards for finding and reporting software bugs so they can be fixed before cybercriminals exploit them.
HackerOne is the platform behind many of these programs. HackerOne customers have resolved more than 64,000 vulnerabilities and have been awarded more than $25 million in bug bounties.
To get the lowdown on bug bounty programs, we spoke with Adam Bacchus, HackerOne’s director of program operations. He runs HackerOne’s internet bug-bounty program, disclosure assistance and other efforts to help organizations start and run successful bug-bounty programs, help hackers succeed, and generally drive the creation of bounties.
“Bounty hunters are definitely the leaders in the space,” he said. “When you have a bug bounty program, you have a veritable army. It’s almost like a neighborhood watch where you have hundreds or thousands, or hundreds of thousands of hackers who are all watching out for you and they’ve all got your back. And they are very much on the front line in the way that they’re constantly watching out and looking for vulnerabilities, and giving you a friendly head’s up if they find something.”
Bug bounty programs basically are vulnerability disclosure programs with an added financial incentive, Bacchus said.
“A disclosure program is saying, ‘Hey, if you’re a hacker out there, a friendly hacker, and you found a bug in one of our systems, this is how you can contact us and tell us about it, and we have an agreement with you, we’re not going to try to sue you or throw you in jail,'” he said. “Here [are] the rules of engagement, here’s what you can hack on, here’s what you can’t hack on, and please don’t go after other users’ data. In a bug bounty program, we’re also saying, “Hey, depending on the severity of the bug, if you find a huge bone-crushing issue, we’re willing to pay out a certain amount of money depending on the severity of the bug. They’ll reward you for taking the time to do that research and letting us know about that issue.”
When a company launches a bug bounty program, lots of bugs are found because “you’re leveraging the power of hundreds if not thousands of eyeballs looking at your property,” Bacchus said.
“What we’ve seen on all of our programs that we run is after the initial spike, things will tamper down a little bit once the low-hanging fruit has been caught,” he said. “So what most programs will do is, over time they’ll actually increase the bounty amounts so as bugs are harder to find, you essentially have to pay more to get that return on investment from hackers. And you eventually move or shift from improving the security to what we call proving security in that lots and lots of hackers are going after you and trying to find bugs. If the well is starting to dry up, that’s a good sign …