If you have ever watched network television or any of the many movies that have come out in the past couple of years then there is a good chance that you know what a bounty hunter is. There are several TV shows about the lifestyle, one being the very popular dog the bounty hunter. Even in one of the most popular movie sequels of all time, Star Wars: The Empire Strikes Back, one of the most compelling characters in the story is the bounty hunter Boba Fett.
So the idea of a bounty hunter is not a foreign concept to most people. They might be surprised though when they find out that the concept is not only relegated to law enforcement agencies. There also bounties used in the computer security world as well.
When a business or a person creates software it is very hard to do a proper test. Even though you may have people whose only job is to use the software to make sure that it does not have any holes in it, they still will not be able to catch all of the bugs. No company has the resources to do this when you have as many as 2 million lines of code in a software product.
This is what black hat hackers thrive on. They know that the code base is so big that there are bound to be mistakes inside of it. No matter how much it has been tested. They know that all they have to do is have a little bit of patience plus a good deal of technical knowledge and they will be able to find a way to bypass any security that the software might possess. Once they do find that hole, then they can create an attack that exploits it and then let it spread around the world.
While for years major software companies have used inside test sources, open source software has used the people in their communities to hunt for bugs. And this has been proven to be very effective. While open source software does not lead software to have fewer holes in it, it does lead to the holes being found and the problem being patched a lot quicker than it would be if it was closed source.
Closed source gets the hint
Seeing how much quicker the open source community was able to close the holes in their software, the closed source community decided to take action. The actions that they decided to take were to offer bug bounties. While this has happened in the past, it has never happened as much as it does now. They know that the resources that they have are not enough to be able to find all of the bugs in their software. So what happens if you do not have enough resources on staff? You outsource the problem to people that might be able to help. And this is what we are seeing a lot of now.
How this happens is that the company will make a posting in places where white hackers hang out. They will announce that they are paying a certain amount of money for holes found in their software. They will then put a restriction on how the hole can be publicized. They do not want the bad guys to be able to find out about the hole before they are able to fix it. The companies might offer different amounts of money depending on the severity of the hole that is found. Some holes are worse than others so it makes sense to pay on a scaling structure like this.
Not only does this technique help you have more resources when you need it, it also stops the temptation of white hat hackers going to the dark side. The reason why there are so many black hat hackers out there is because it pays so well. So there is a lot of temptation of people who are on the right side of the law to turn their backs on it and go the other way. If you are offering a paid reward then you may have stifled that temptation.
So far it seems that the bug bounties have been working. We are starting to see more and more companies offering incentives like this. And companies that have been utilizing strategies like this in the past are expanding them to include even bigger prizes. In the past big companies would consider these same types of hackers, no matter if they were white or black hat, the enemy who were exposing their flaws. Now they see this new breed of white hacker an ally in making their product a lot safer than it used to be.