The Noggin Blog

Do bug bounties help avoid crisis? Or can they end up being the root of the crisis?

Posted by The Brain on May 11, 2018 7:31:47 AM


Even the most sophisticated systems might be vulnerable to opportunistic hackers. So businesses are doing pretty much everything in their power to protect themselves. And recently, that’s included paying hackers who uncover software vulnerabilities. Folks, we’re in the age of bug bounty programs, officially sanctioned deals to reward researchers who report bugs and security vulnerabilities.

What’s the calculus for businesses, here? Well, for the companies running these programs, it’s better to learn about vulnerabilities from a white hat hacker participating in a credible bug bounty program than from a malicious attacker who’ll exploit them.

And even though they’ve recently proliferated, bug bounty programs trace their roots quite a way back. The concept came into being in the 1980s when Hunter & Ready, since acquired by Mentor Graphics, began offering actual cars to actual hackers in return for reports on vulnerabilities in its system. Funny enough, the hackers ended up opting for the cash option.

Since then, bug bounties have multiplied across industry but specifically within tech. Think, the Apple’s, Facebook’s, Google, and Microsoft’s of the world. We’ve also seen a rise in start-ups offering bug bounty platform services, often targeting small and medium-sized businesses. Case in point: one of the leaders in this space, HackerOne, just wrapped up a $40 million investment round. Its security services assist the Pentagon, among other clients.

It’s not just tech investing in bug bounty programs either. Big U.S. regulators, like the Food and Drug Administration, National Highway Traffic Safety Administration, National Telecommunications and Information Administration, and Federal Trade Commission, have launched their own programs.

To be fair, the numbers of companies aren’t overwhelming quite yet. At present, only six percent of the Forbes Global 2000 has a bug bounty program, according to a recent HackerOne security report. Nor have those numbers been rising rapidly either. The remaining 94 percent of companies don’t yet have a sanctioned way to receive reports about their security vulnerabilities.

And predictably, the numbers also reemphasize the point that tech is leading the way. Over half of the top software companies have them. Contrast that with only eight percent of airlines, nine percent of banks, ten percent of auto and truck manufacturers, and 15 percent of consumer financial companies.

But the companies that actually do have these programs in place are paying researchers more than ever before. The average bounty payout has shot up about 16 percent over the last couple of years.

Unsurprisingly, the bug bounty concept hasn’t been without controversy. Last year alone, DJI came under fire when a researcher denounced a bug bounty program at the dronemaker. More infamously, the Uber bug bounty program was at the center of last 2017's data breach incident. To learn more about that incident, check out our spotlight on the Uber data breach:

Read Now



Topics: Crisis Management, Noggin Crisis

Meet Noggin: all-hazards enterprise resilience software.

Thanks for stopping by!

The Noggin software suite provides flexible information management solutions capable of managing all hazards across a wide range of industries, from the smallest complaint to a multi-national emergency. We help organizations handle all hazards, all media, all devices, all processes - in one suite of software products. Organizations across the world rely on Noggin to help them manage disruptive events more effectively and protect the bottom line for their communities and businesses.

Want to learn more? Get in touch:


Subscribe to Email Updates

Recent Posts