Bug Bounty Program: When Businesses Collaborate With Hackers

Over a decade ago, an idea like the Bug Bounty Program was practically unheard of for the most part. It certainly wasn’t mainstream like it is today. There existed a deep rift between companies and hackers, which included members of the information security industry.


The disconnect existed because of a lack of trust between the two parties. After all, trusting a stranger who was hiding behind IP anonymizers with a shady online alias didn’t exactly sound like the best idea.


More so, when you would be informally authorizing that person to discover vulnerabilities in your company's network, you'd be hoping with fingers crossed that sensitive company data won’t be exposed or stolen. There was a huge liability concern, and no one at the time knew how to address the elephant in the room.


Engage-At-Your-Own-Risk Scenario


From a hacker’s perspective, they were lucky if they could find serious posts made by legitimate companies wanting to collaborate with hackers for vulnerability disclosure back then, because the offers were few. Participating in online challenges offered by actual businesses, if hackers could even find them, meant possibly exposing themselves to self-incrimination.


This resulted in a kind of stand-off between the two parties, primarily because hackers suspected that companies were acting as fronts for law enforcement on baiting missions to try and catch them. But also because performing vulnerability assessments on another person’s online property was a dark area from a legal point-of-view, since most offers were made and closed in an informal fashion. It was kind of an engage-at-your-own-risk scenario.


The few hackers that reported vulnerabilities were getting in trouble because they weren’t asking for permission from the companies they were scanning, all the while trying to disclose vulnerabilities to protect businesses from malicious threat actors. It was a gray area all around, and nobody really knew how to proceed.


Back in 2008 in the days of GeoCities, there used to be such a niche spot on the web where a small handful of brave companies periodically posted bounties and challenges for vulnerability disclosures aimed toward hacker communities. Sometimes the reward was large sums of money, other times they were just challenges posted by some cocky system administrator wanting to prove that his handiwork was somehow impenetrable.


Some people back then apparently still held to the notion that some systems are impenetrable. To a hacker, there is no greater opportunity than to hack what is thought to be unhackable. Even the allure of money simply cannot compare to the thrill of contradicting such a brazen claim.


Blast From The Past


Though collaborating between hackers and businesses was relatively sparse back in the day, roll back the clock two decades earlier, and you arrive at the era of the first bug bounty in 1983, which involved the Versatile Real-Time Executive (VRTX) real-time operating system (RTOS) designed by Mentor Graphics.


The company offered a generous reward for anyone who discovered and reported a bug in their OS. Guess what the reward was? A Volkswagen Beetle. You have to love the irony.

This was history’s first bug bounty program. Mentor Graphics pioneered the concept of bug bounties, even before we had a name for it.


Fast-forward a decade later, and we arrive at the era of the Netscape 2.0 beta web browser, which launched on Oct. 10, 1995. The browser was released on every Windows OS platform from 3.1 to NT, and was available on Apple Macintosh, Linux, and pretty much everywhere else.


They offered a cash incentive to non-employees for bug reporting involving their web browser until its final release.


The Struggle For Security


According to Norton Antivirus, a new cyberattack emerges somewhere on the internet every 39 seconds, which amounts to around 2,244 attacks a day. These statistics only encompass known incidents. The number of undetected intrusions could be staggering in comparison. Cyber threats are proliferating faster than security researchers can stop them.


Additional statistical data published by the cybersecurity education platform DataProt shows that 560,000 pieces of new malware are discovered daily. What’s even more alarming is there are now over one billion malware programs in existence today.


You could argue that cybersecurity has evolved into a war between threat actors and companies fighting to hold back the tides of malicious forces.


Therefore, when you look at figures of this magnitude, it can be deduced that companies absolutely have an invested interest in obtaining and maintaining a foothold in the cybersecurity arena, and recruiting an exhaustive amount of manpower from international security experts is how this is being done.


This is where the bug bounty program comes in.


Bug Bounty Program 101


We are now living in an age where hackers have finally become demystified. More importantly, hackers are now better understood than at any other time in recent history. No longer are hackers believed to be able to whistle nuclear launch codes into NORAD from a payphone, or depicted by Hollywood as having glowing codes superimposed on their faces when they are hacking.


A working relationship was needed to bridge the gap between industries and cybersecurity experts, regardless of one’s profession or qualifying credentials. Results speak for themselves.


Simply put, experts now have come to the realization that hackers aren’t all cut from the same cloth and that it is detrimental giving the current climate to exclude their skill sets from helping develop a more secure web for businesses and the many online services utilized by everyday users.


Businesses now openly post opportunities for security experts and researchers to search, assess, and report vulnerabilities. Cybersecurity education platforms like PortSwigger, HackTheBox, and TryHackMe are just a few platforms that offer free training courses to upcoming bug bounty hunters.


In recent news, ZTE, a phone manufacturer located in China, started a public bug bounty program that offers up to €2,000 ($2,300) for reporting vulnerabilities in their ZTE products. The bounty posting was published on the vulnerability disclosure website, YesWeHack.


“Through openness and transparency, we try to give our customers confidence by letting them see what we do and how we provide end-to-end security,”

said Zhong Hong, the chief security officer at ZTE.


“Our partnership with YesWeHack will help to enhance the security of ZTE’s products and confront new challenges brought by the 5G network commercialization.”

Ultimately, every bug that is reported is actually another door closed. This means that with every fixed vulnerability, a security hole is plugged, an incident is prevented, and the number of exploitable opportunities by a malicious threat actor is reduced.


An article by

Jesse McGraw


Edited by

Ana Alexandre


Like this content? Subscribe to our newsletter to get weekly cybersecurity insights and top news - straight to your mailbox!

39 views0 comments