Bug bounty program

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation[1][2] for reporting bugs, especially those pertaining to security exploits and vulnerabilities.[3]

These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse and data breaches. Bug bounty programs have been implemented by a large number of organizations, including Mozilla,[4][5] Facebook,[6] Yahoo!,[7] Google,[8] Reddit,[9] Square,[10] Microsoft,[11][12] and the Internet bug bounty.[13]

Companies outside the technology industry, including traditionally conservative organizations like the United States Department of Defense, have started using bug bounty programs.[14] The Pentagon's use of bug bounty programs is part of a posture shift that has seen several US Government Agencies reverse course from threatening white hat hackers with legal recourse to inviting them to participate as part of a comprehensive vulnerability disclosure framework or policy.[15]

  1. ^ "The Hacker-Powered Security Report - Who are Hackers and Why Do They Hack p. 23" (PDF). HackerOne. 2017. Retrieved June 5, 2018.
  2. ^ Ding, Aaron Yi; De Jesus, Gianluca Limon; Janssen, Marijn (2019). "Ethical hacking for boosting IoT vulnerability management". Proceedings of the Eighth International Conference on Telecommunications and Remote Sensing. Ictrs '19. Rhodes, Greece: ACM Press. pp. 49–55. arXiv:1909.11166. doi:10.1145/3357767.3357774. ISBN 978-1-4503-7669-3. S2CID 202676146.
  3. ^ Weulen Kranenbarg, Marleen; Holt, Thomas J.; van der Ham, Jeroen (November 19, 2018). "Don't shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure". Crime Science. 7 (1): 16. doi:10.1186/s40163-018-0090-8. ISSN 2193-7680. S2CID 54080134.
  4. ^ "Mozilla Security Bug Bounty Program". Mozilla. Retrieved July 9, 2017.
  5. ^ Cite error: The named reference Mozilla was invoked but never defined (see the help page).
  6. ^ "Meta Bug Bounty programme info". Facebook. n.d. Retrieved October 17, 2023.
  7. ^ "Yahoo! Bug Bounty Program". HackerOne. Retrieved March 11, 2014.
  8. ^ "Vulnerability Assessment Reward Program". Retrieved March 11, 2014.
  9. ^ "Reddit - whitehat". Reddit. Retrieved May 30, 2015.
  10. ^ "Square bug bounty program". HackerOne. Retrieved August 6, 2014.
  11. ^ "Microsoft Bounty Programs". Microsoft Bounty Programs. Security TechCenter. Archived from the original on November 21, 2013. Retrieved September 2, 2016.
  12. ^ Cite error: The named reference Microsoft was invoked but never defined (see the help page).
  13. ^ HackerOne. "Bug Bounties - Open Source Bug Bounty Programs". Retrieved March 23, 2020.
  14. ^ "The Pentagon Opened up to Hackers - And Fixed Thousands of Bugs". Wired. November 10, 2017. Retrieved May 25, 2018.
  15. ^ "A Framework for a Vulnerability Disclosure Program for Online Systems". Cybersecurity Unit, Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice. July 2017. Retrieved May 25, 2018.