Hackers to the Rescue: An Overview of Bug Bounties


For far too many companies worldwide, computer hacks are an inevitability. Indeed, some experts place the statistical probability of a data breach at around 30%, which means potentially devastating trouble is lurking for nearly one in three businesses, both domestically and overseas. And when cybercriminals do infiltrate corporate computer systems, the resulting price tag can be substantial—recent estimates suggest that, on average, each breach costs companies in excess of $3 million.

The good news is that organizations in the private and public sector have at their disposal an arsenal of tools to combat cybercrime. Among them are so-called bug bounty programs, a lesser known but increasingly used method of identifying and fixing network vulnerabilities.

What’s a Bug Bounty?

A bug bounty program gives ethical hackers the green light to dig into an entity’s systems, applications and data to uncover security risks—this in exchange for a monetary reward for the hackers that successfully discover and report on security weaknesses, bugs and the like. Essentially, bug bounties allow companies to leverage the community of ethical hackers (also known as “white hats”)—those authorized to gain access to an organization’s IT assets—in an effort to implement the strategies and actions of malicious attackers and shine a light on vulnerabilities that can be corrected before cybercriminals come calling.

Here’s how bug bounties work. A company first settles on a budget for its program and then establishes acceptable parameters (read: specifies the systems that ethical hackers can attempt to penetrate). While some businesses give carte blanche to white hats, others set clear boundaries and keep certain IT components off-limits so as not to interfere with operations, productivity and profits.

Ethical hackers then go to work, infiltrating systems and searching for vulnerabilities that can lead to a security breach. Once a problem is discovered, the hackers (or hacker) submit a report notifying the company that engaged them of the vulnerabilities uncovered. They also present alternatives for remediation and deliver the details necessary for developers to replicate and otherwise validate the bug(s) found.

In terms of compensation, ethical hackers are paid sums commensurate with the severity of the vulnerabilities they detect. These amounts can range from a few thousand dollars to seven figures, depending upon the gravity of the security risk revealed and, of course, the size of the company in question.

Of note, money’s only a part of the equation for the ethical hacking community. The pride, recognition and “street cred” that comes along with a successful security assessment is a further motivating factor for any white hat worth his or her salt.

The Undeniable Value of Bug Bounty Programs

As companies and organizations like Facebook, Yahoo, Google, Yelp, Microsoft and even the U.S. Departments of Defense and Homeland Security know, bug bounty programs are advantageous for several reasons.

First and foremost, they can (1) serve to identify system vulnerabilities—those that, if left unremedied, could be exploited by malicious hackers and cybercriminals—and (2) provide for necessary patches and fixes meant to render a network impenetrable. As such, a bug bounty can be an invaluable resource for companies looking to protect their IT assets and reputation and limit legal and financial exposure.

Likewise, despite the financial rewards paid to the ethical hackers who shine a light on an entity’s network failures, these amounts are typically a fraction of the cost associated with remediating a cybersecurity incident at the hands of a criminal enterprise. In fact, no matter how expensive a bug bounty may be, a white hat’s compensation is sure to be exponentially cheaper than a data breach.

It gets even better. Because ethical hackers are only paid if and when they uncover a vulnerability, there’s little financial risk in initiating a bug bounty program. For this reason, bug bounties are a perfect complement to regular penetration testing, which has its limits.

As a matter of fact, one of the drawbacks of penetration testing is that it’s typically conducted by a single security professional—or a small team—testing a company’s systems and applications. Bug bounties, on the other hand, are open to the universe of ethical hackers—hundreds if not thousands of individuals bringing to the table a breadth of experience and skillsets that best replicate the nefarious workings of cybercriminals.

It Takes a Village

For the good of all private and public entities—and the people they serve—data and network breaches are to be avoided at all costs. Which is why it’d be wise for every company to create and incorporate bug bounty programs into their Incident Response Plans (IRPs) and data lifecycle management programs (DLMPs)—this in order to ensure data privacy and cybersecurity compliance.

It’s important to understand that most state laws, including the new California Privacy Protection Act, require an analysis and investigation of an organization’s data privacy and cybersecurity program after a breach. So do states attorneys general and the Federal Trade Commission. As such, having a robust, evergreen IRP that includes a supervised bug bounty monitorship may serve to keep government enforcement bodies away. Even better, bug bounties, IRPs and DLMPs can prevent or diminish risk, liability, penalties and fines from regulators.

No doubt about it, bug bounties, along with penetration testing, IRPs, DLMPs and the work and insights of experienced legal counsel can—together—go a long way toward maximizing available network protections and shielding IT assets from bad actors near and far.

This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.