Are Bug Bounties Really Worth The Time And Effort Of The Security Researcher?

The one thing that cannot be denied by anyone is that security is becoming a more serious topic. In the past, the big boss of the business would deny that security was much of a problem and he would put limited resources to the problem. Now that is no longer the case and every business out there is making sure that security is front and center when it comes to their computer strategy. There is no way that you can be a reasonable sized business and not have security as part of your web strategy. One reason is that it would put you at a lot of risk. Your website would be on the web with very little security and an internet filled with black hat hackers from around the world ready to come down and swoop on it. Another reason why a business of any sort of size cannot disregard security when it comes to their software initiative is because you put yourself at a civil liability. Today’s consumer expects protection when they use your product so you have to be sure that you can offer it to them. And if you are not offering any sort of reasonable protection then you can find yourself being sued by one of your very own customers.


But let’s face it, security is very hard. There are too many variables when it comes to software to be able to secure everything. Even if you hire the best computer security guy in the world you are still going to have holes that you have to worry about. That is why a lot of companies out there try to get creative when it comes to the security of their business. They try to think of different ways to make the walls of the software impenetrable. While there are many creative ways that companies try to get this accomplish, one way that we are seeing on the move is the bug bounty.

What is a bug bounty?

A bug bounty is when a company offers money for someone to come in and try to find holes in their product. There is a very loose set of rules put in place and if the person is able to find any bugs then he wins some sort of prize. But a lot of companies who now do this put several different levels of prize money in place. In competitions like this the amount of money you get is related to the severity level of the bug that you found. If the bug has a high severity level then you are able to get all of the money. If it is considered a medium level bug then you only get part of the money. This really does make sense because all bugs are not the same and you really have to take that in account.

But if you are a security researcher, is a bug bounty really worth it to you? There are a lot of people who are willing to pay a lot more money for a bug then you can get in a bug bounty program. Security holes are very big business these days and that is something that you should think about. But bug bounties do allow you to get a good level of name recognition in the security community. So it is really up to the security researcher what they really want. Do they want name recognition or do they want serious money?

photo: digitalmoneyworld

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.


  1. […] It seems, though, that some companies are more selective than others though when it comes to issuing payments in return for vulnerability disclosures, as appears to be the case with Robert Kugler and PayPal. (Kugler must be wondering whether bug bounties are worth it). […]

Speak Your Mind