How Do Bug Bounties Work?
Companies create bug bounties to provide financial incentives to independent bug bounty hunters who discover security vulnerabilities and weaknesses in systems. When bounty hunters report valid bugs, companies pay them for discovering security gaps before bad actors do.
What Exactly Is a Bug Bounty?
A bug bounty is a monetary reward given to ethical hackers for successfully discovering and reporting a vulnerability or bug to the application's developer. Bug bounty programs allow companies to leverage the hacker community to improve their systems’ security posture over time continuously.
Hackers around the world hunt bugs and, in some cases, earn full-time incomes. Bounty programs attract a wide range of hackers with varying skill sets and expertise giving businesses an advantage over tests that may use less experienced security teams to identify vulnerabilities.
Bounty programs often complement regular penetration testing and provide a way for organizations to test their applications’ security throughout their development life cycles.
How Does a Bug Bounty Program Work?
Businesses starting bounty programs must first set the scope and budget for their programs. A scope defines what systems a hacker can test and outlines how a test is conducted. For example, some organizations keep certain domains off-limits or include that testing causes no impact on day-to-day business operations. This allows them to implement security testing without compromising overall organizational efficiencies, productivity, and ultimately, the bottom line.
Bug bounties with competitive payouts tell the hacking community companies are serious about vulnerability disclosure and security. Programs base reward levels on the severity of vulnerabilities, and rewards increase as the potential impact increases.
Money isn’t the hacker community’s only motivation. Systems like leaderboards that credit hackers for discoveries help them build recognition.
Once a hacker discovers a bug, they fill out a disclosure report that details exactly what the bug is, how it impacts the application, and what level of severity it ranks. The hacker includes key steps and details to help developers replicate and validate the bug. Once the developers review and confirm the bug, the company pays the bounty to the hacker.
Payouts vary based on severity and range from a few thousand dollars up to millions of dollars depending on the company and the bug’s potential impact. Developers will prioritize incoming bug reports based on severity and work to resolve the bug. After fixing the bug, developers retest to confirm issue resolution.
Bug Bounty Program Examples
Some of the biggest brands around the world use bounty programs to keep their applications and customers safe. Below are three examples of companies that use HackerOne to run their bounty programs.
Shopify provides e-commerce services to over half a million businesses globally, making security a top priority for Shopify’s businesses success. To date, Shopify has paid out over $1,580,000 in bounties to hackers and offers up to $30,000 for reporting critical vulnerabilities.
In December of 2020, a hacker discovered a critical vulnerability that allowed unauthorized access into merchant accounts. Because of the bug bounty program, the hacker notified the Shopify team that could patch the bug in time for Christmas Eve, one of the biggest shopping days in e-commerce.
The hacker, @cache-money, was rewarded $15,000 plus a $250 bonus for his discovery and disclosure.
Yelp connects searchers to great local businesses worldwide. Yelp has used HackerOne since 2014 to manage its bounty program. Seeing the value in the hacker community, Yelp has 19 different domains in scope, including everything from mobile apps to email systems. To date, Yelp has used its bug bounty program to fix over 300 vulnerabilities and continues to add new applications and domains to its roadmap. Figure 1 below shows the domains within the scope of Yelp’s bug bounty program,
Since 2014, the Mail.ru Group’s bug bounty program has resolved over 4,300 vulnerabilities. Recently, Mail.ru Group surpassed over $1 Million in bounty payouts to hackers who helped Mail.ru secure their email hosting.
Mail.ru Group pays up to $35,000 for the highest-impact bugs disclosed and uses a detailed spreadsheet to help hackers understand the estimated payout based on the compromised system and severity level. Mail.ru Group goes as far as paying for bugs found in the applications of Mail.ru’s partner vendors.
How Can I Set Up My Own Bug Bounty Program?
Traditionally, setting up a bug bounty program required companies to build their communication platform, implement bug tracking systems, and integrate into payment gateways. Now, setting up a bug bounty program is a simple process through HackerOne. The HackerOne platform allows organizations to set their scope, track bug reports, and manage payouts from one location.
Detailed reporting metrics give security teams a live look into their bug bounty programs' progress and allow companies to promptly set customized SLAs to resolve new disclosures.
How HackerOne Can Help
HackerOne harnesses the world’s largest and most diverse community of hackers to help keep businesses safe by providing an all-in-one platform to perform continuous and comprehensive security testing. The platform takes a streamlined approach to find and remediate bugs while supporting everything from disclosure to payout in a single dashboard.