Bug Bounty programs seem to be the ‘in thing’ these days with all manner of companies beginning to offer them (would your company benefit from offering bug bounties?). And a few days ago security vendor Avast! got in on the act. If you are a security researcher or enthusiast then this may be an opportunity for you to discover vulnerabilities in web sites or software and get paid for your efforts too.
Personally I think that bug bounty programs are an excellent idea as they crowdsource some important work and can, potentially at least, offer impressive returns to the company that offer them whilst engaging the security community beyond just dishing out some cash.
“As a security company, we very much realize that security bugs in software are reality. But we also realize that companies that are able to use their user communities to find and fix bugs are generally more successful that those that don’t.”
Interestingly, Avast says –
“This makes us probably the first security vendor with a reward program like this.”
– which would be a surprising fact if that is indeed the case. Can anyone confirm whether any other security vendors do or don’t offer a bug bounty program yet?
There are some restrictions to the program though as Avast are only looking for security-related bugs that are related to their product, i.e.:
- Remote code execution
- Local privilege escalation
- Denial of Service (DoS)
- Sandbox escapes
- Some scanner bypasses
The bounties on offer are variable depending on the nature of the discovery but are guaranteed to be worth at least $200. For more serious vulnerabilities, such as remote code execution, the payment could rise to the region of $3,000 – $5,000 and more.