Do Bug Hunt Bounties Work In The Real World?

If you have ever watched network television or any of the many movies that have come out in the past couple of years then there is a good chance that you know what a bounty hunter is. There are several TV shows about the lifestyle, one being the very popular dog the bounty hunter. Even in one of the most popular movie sequels of all time, Star Wars: The Empire Strikes Back, one of the most compelling characters in the story is the bounty hunter Boba Fett.

So the idea of a bounty hunter is not a foreign concept to most people. They might be surprised though when they find out that the concept is not only relegated to law enforcement agencies. There also bounties used in the computer security world as well.

Do Bug Hunt Bounties Work In The Real World?

When a business or a person creates software it is very hard to do a proper test. Even though you may have people whose only job is to use the software to make sure that it does not have any holes in it, they still will not be able to catch all of the bugs. No company has the resources to do this when you have as many as 2 million lines of code in a software product.

This is what black hat hackers thrive on. They know that the code base is so big that there are bound to be mistakes inside of it. No matter how much it has been tested. They know that all they have to do is have a little bit of patience plus a good deal of technical knowledge and they will be able to find a way to bypass any security that the software might possess. Once they do find that hole, then they can create an attack that exploits it and then let it spread around the world.

While for years major software companies have used inside test sources, open source software has used the people in their communities to hunt for bugs. And this has been proven to be very effective. While open source software does not lead software to have fewer holes in it, it does lead to the holes being found and the problem being patched a lot quicker than it would be if it was closed source.

Closed source gets the hint

Seeing how much quicker the open source community was able to close the holes in their software, the closed source community decided to take action. The actions that they decided to take were to offer bug bounties. While this has happened in the past, it has never happened as much as it does now. They know that the resources that they have are not enough to be able to find all of the bugs in their software. So what happens if you do not have enough resources on staff? You outsource the problem to people that might be able to help. And this is what we are seeing a lot of now.

How this happens is that the company will make a posting in places where white hackers hang out. They will announce that they are paying a certain amount of money for holes found in their software. They will then put a restriction on how the hole can be publicized. They do not want the bad guys to be able to find out about the hole before they are able to fix it. The companies might offer different amounts of money depending on the severity of the hole that is found. Some holes are worse than others so it makes sense to pay on a scaling structure like this.

Not only does this technique help you have more resources when you need it, it also stops the temptation of white hat hackers going to the dark side. The reason why there are so many black hat hackers out there is because it pays so well. So there is a lot of temptation of people who are on the right side of the law to turn their backs on it and go the other way. If you are offering a paid reward then you may have stifled that temptation.

So far it seems that the bug bounties have been working. We are starting to see more and more companies offering incentives like this. And companies that have been utilizing strategies like this in the past are expanding them to include even bigger prizes. In the past big companies would consider these same types of hackers, no matter if they were white or black hat, the enemy who were exposing their flaws. Now they see this new breed of white hacker an ally in making their product a lot safer than it used to be.

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.


  1. […] A bug bounty is when a company offers money for someone to come in and try to find holes in their product. There is a very loose set of rules put in place and if the person is able to find any bugs then he wins some sort of prize. But a lot of companies who now do this put several different levels of prize money in place. In competitions like this the amount of money you get is related to the severity level of the bug that you found. If the bug has a high severity level then you are able to get all of the money. If it is considered a medium level bug then you only get part of the money. This really does make sense because all bugs are not the same and you really have to take that in account. […]

Speak Your Mind