What’s the calculus for businesses, here? Well, for the companies running these programs, it’s better to learn about vulnerabilities from a white hat hacker participating in a credible bug bounty program than from a malicious attacker who’ll exploit them.
And even though they’ve recently proliferated, bug bounty programs trace their roots quite a way back. The concept came into being in the 1980s when Hunter & Ready, since acquired by Mentor Graphics, began offering actual cars to actual hackers in return for reports on vulnerabilities in its system. Funny enough, the hackers ended up opting for the cash option.
Since then, bug bounties have multiplied across industry but specifically within tech. Think, the Apple’s, Facebook’s, Google, and Microsoft’s of the world. We’ve also seen a rise in start-ups offering bug bounty platform services, often targeting small and medium-sized businesses. Case in point: one of the leaders in this space, HackerOne, just wrapped up a $40 million investment round. Its security services assist the Pentagon, among other clients.
It’s not just tech investing in bug bounty programs either. Big U.S. regulators, like the Food and Drug Administration, National Highway Traffic Safety Administration, National Telecommunications and Information Administration, and Federal Trade Commission, have launched their own programs.
To be fair, the numbers of companies aren’t overwhelming quite yet. At present, only six percent of the Forbes Global 2000 has a bug bounty program, according to a recent HackerOne security report. Nor have those numbers been rising rapidly either. The remaining 94 percent of companies don’t yet have a sanctioned way to receive reports about their security vulnerabilities.
And predictably, the numbers also reemphasize the point that tech is leading the way. Over half of the top software companies have them. Contrast that with only eight percent of airlines, nine percent of banks, ten percent of auto and truck manufacturers, and 15 percent of consumer financial companies.
But the companies that actually do have these programs in place are paying researchers more than ever before. The average bounty payout has shot up about 16 percent over the last couple of years.
Unsurprisingly, the bug bounty concept hasn’t been without controversy. Last year alone, DJI came under fire when a researcher denounced a bug bounty program at the dronemaker. More infamously, the Uber bug bounty program was at the center of last 2017's data breach incident. To learn more about that incident, check out our spotlight on the Uber data breach: