What Are Bug Bounties and How Do They Work?

How Do Bug Bounties Work?

Companies create bug bounties to provide financial incentives to independent bug bounty hunters who discover security vulnerabilities and weaknesses in systems. When bounty hunters report valid bugs, companies pay them for discovering security gaps before bad actors do.

What Is a Bug Bounty?

A bug bounty is a monetary reward given to ethical hackers for successfully discovering and reporting a vulnerability or bug to the application's developer. Bug bounty programs allow companies to leverage the hacker community to improve their systems’ security posture over time continuously.

Hackers around the world hunt bugs and, in some cases, earn full-time incomes. Bounty programs attract a wide range of hackers with varying skill sets and expertise giving businesses an advantage over tests that may use less experienced security teams to identify vulnerabilities.

Bounty programs often complement regular penetration testing and provide a way for organizations to test their applications’ security throughout their development life cycles.

How Does a Bug Bounty Program Work?

Businesses starting bounty programs must first set the scope and budget for their programs. A scope defines what systems a hacker can test and outlines how a test is conducted. For example, some organizations keep certain domains off-limits or include that testing causes no impact on day-to-day business operations. This allows them to implement security testing without compromising overall organizational efficiencies, productivity, and ultimately, the bottom line.

Bug bounties with competitive payouts tell the hacking community companies are serious about vulnerability disclosure and security.  Programs base reward levels on the severity of vulnerabilities, and rewards increase as the potential impact increases.

Money isn’t the hacker community’s only motivation. Systems like leaderboards that credit hackers for discoveries help them build recognition.

Once a hacker discovers a bug, they fill out a disclosure report that details exactly what the bug is, how it impacts the application, and what level of severity it ranks. The hacker includes key steps and details to help developers replicate and validate the bug. Once the developers review and confirm the bug, the company pays the bounty to the hacker.

Payouts vary based on severity and range from a few thousand dollars up to millions of dollars depending on the company and the bug’s potential impact. Developers will prioritize incoming bug reports based on severity and work to resolve the bug. After fixing the bug, developers retest to confirm issue resolution.  

Bug Bounty Program Examples

Some of the biggest brands around the world use bounty programs to keep their applications and customers safe. Below are three examples of companies that use HackerOne to run their bounty programs.

Yelp

Yelp connects searchers to great local businesses worldwide. Yelp has used HackerOne since 2014 to manage its bounty program. Seeing the value in the hacker community, Yelp has tens of different domains in scope, including everything from mobile apps to email systems. To date, Yelp has used its bug bounty program to fix over 300 vulnerabilities and continues to add new applications and domains to its roadmap. 

In 2023, a member of HackerOne’s hacker community, @lil_endian, discovered a vulnerability in yelp.com that could allow persistent cross-site scripting and account takeover. The vulnerabilities impacted account security and could enable unauthorized access to user data, putting Yelp and its user’s data at a high risk of exploitation. The vulnerability was classified as "high" severity, and the hacker received a $6,000 bounty for their report.

KAYAK

KAYAK empowers its users to compare hundreds of travel sites at once. Having launched its bug bounty program in 2022, KAYAK has already paid out over $150,000 in bounties. 

While researching zero-day vulnerabilities in mobile applications, the hacker @retr02332 found it was possible for an attacker to gain unauthorized access to the victim's KAYAK account, view their personal information, and perform account actions as the victim — all in one click. Naturally, this kind of vulnerability is considered very important and was classified as a "critical" severity of 9.3.

Basecamp

Basecamp is a leading online project management system, and since launching their bug bounty program with HackerOne in 2020, they've paid out over $300,000 in bounties. 

A high-severity vulnerability was reported by hacker @neex that allows a malicious actor to gain access to sensitive information such as AWS keys and user cookies from Basecamp servers. Leaked user cookies could have led to account hijacking and unauthorized access to user data and accounts on Basecamp. The hacker received a $8,868 bounty from Basecamp for their report.

How Can I Set Up My Own Bug Bounty Program?

Traditionally, setting up a bug bounty program required companies to build their communication platform, implement bug-tracking systems, and integrate into payment gateways. Now, setting up a bug bounty program is a simple process through HackerOne. The HackerOne platform allows organizations to set their scope, track bug reports, and manage payouts from one location.

Detailed reporting metrics give security teams a live look into their bug bounty programs' progress and allow companies to promptly set customized SLAs to resolve new disclosures.

How HackerOne Can Help

HackerOne harnesses the world’s largest and most diverse community of hackers to help keep businesses safe by providing an all-in-one platform to perform continuous and comprehensive security testing. The platform takes a streamlined approach to finding and remediating bugs while supporting everything from disclosure to payout in a single dashboard.

HackerOne is the world's largest hacker-powered security platform. Contact us today to learn more about launching your first bug bounty program.