Bug bounties have become more popular, but that isn’t surprising given they have been around for more than a generation. The first bug bounty hunting program originated with computer science professor Don Knuth decades ago. It was for reporting errors in his classic book series the Art of Computer Programming, and in catching bugs in several of his landmark software applications. Since then, these modest rewards of a few dollars have turned into a big business, with dozens of big-name vendors offering their own programs that have significant payouts. For example, a verified iOS remote control hack can receive up to $1.5 million in reward money.
Many vendors have been running programs for several years, such as the various Google properties. Facebook recently posted a five-year retrospective of its own bug bounty program that touched on significant milestones. Other companies that fund their own bug bounty programs include: Microsoft, Mozilla, Yahoo, AT&T, Paypal, Samsung, Github, Mega and Pinterest, just to name a few.
One step in their evolution has been the creation of bug bounty management providers: these are vendors that handle submissions and payouts, set the rules for participation, and generally keep track of all the administration for the program. These include HackerOne (which runs numerous bounty programs for the Pentagon, Dropbox, Zenefits, Uber and Shopify, among other major brands) along with Bugcrowd, the Chinese-based Vulbox.com, BountyFactory.io and Zerodium – just to name a few of these providers.
Several open source communities are also getting into the bounty business: The Open Source Technology Improvement Fund is planning on starting its own program soon, and there is The Open Bug Bounty program that doesn’t offer any payouts but allows any security researcher to report a vulnerability on any website, all in the name of to help fixing any bug and get appropriate credit for its discovery.
The Pentagon program is a noteworthy example of how these bounty efforts grow with success. Initially held this past spring, the DoD paid out bounties to 138 researchers through the auspices of HackerOne. In October they announced a second effort, this time with a $7 million purse to attract more submissions across up to 14 different challenges.
As the populations of bug hunters have grown, there is now sufficient data to draw some conclusions of who is attracted to this calling and how participants can become more successful submitters. Two recent reports, one by Bugcrowd and one by HackerOne, are worth reviewing.
HackerOne customers have resolved more than 31,000 vulnerabilities and awarded hackers more than $10,000,000 in bug bounties. Mark Litchfield was their most successful submitter earning half a million dollars in proceeds and was profiled on their blog earlier this fall.
The HackerOne report found that the vast majority of submitters do it purely for financial gain, and six percent of those surveyed made more than six figures in their bounty payouts. Two-thirds of those surveyed enjoy the intellectual challenge of finding and fixing bugs, even without any payouts whatsoever. Not surprisingly, almost all are males and 90% are under 34 years old. But interestingly, more than 70% of the participants are self-taught. Granted, this sample is just of those who participated in the HackerOne-sponsored programs, but that still covers more than 600 individuals who were surveyed.
In the Bugcrowd report, they document that more than 38,000 people have participated in their program from more than 100 countries. Nearly 60% were between 18 and 29 years old, followed by 34% who were between 30 to 44 years old. And 15% of the respondents identified as being full time bug hunters. BugCrowd’s survey created a series of personas to explain their demographics of bug hunters and these include:
- Knowledge seekers who work part-time in hunting bugs but want to increase their skills and eventually move into full-time hunting. Most are younger and have college degrees.
- Hobbyists, who are all about the money and the joy of the hunt itself. More than 80% have some college education and a third have had at least five years of bug hunting experience.
- Full-timers, who are the real professionals and collect the bounties for their main income source.
- Protectors, who are motivated by their actions to help make the Internet safer and who aspire to become full-timers.
- Virtuosos, who are at the top of the food chain. They are driven by the challenge and have the most education and experience and select the most challenging targets too.
The BugCrowd report has some solid suggestions on how to pick the right kind of bounty program by its scope (which can appeal to different types of hunters), the type of program offered (public or private, and the kinds of rewards offered. Clearly, this will continue to become a bigger business in the future.
Read more about defending against vulnerability attacks with the right cybersecurity technology