A bug bounty program is one where an entity (usually a company) offers up a cash reward for anyone who can positively identify a bug in its software. In effect, it’s a form of crowdsourced software testing or cybersecurity vulnerability hunting.
There are usually strict terms, such as that the bounty hunter must privately disclose the bug only to the company to protect the confidentiality and prevent abuse of the vulnerability in the wild.
There are a few reasons why these programs have become so popular and have found success in recent years:
- The potential for security-related bugs and vulnerabilities are so numerous and varied in any piece of complex software that you need a huge pool of diverse testers to even hope to catch most of them.
- The cybersecurity industry is facing a huge shortage of skilled professionals. Bug bounties may be the only way for certain companies to have the resources to conduct these types of tests.
- Many bugs and vulnerabilities are extremely difficult, if not impossible, to detect or replicate in a developer environment. Bug bounty programs offer the opportunity to find bugs that will usually only emerge in the wild once the software goes live.
- It’s hoped that bug bounties will discourage black, gray, and unsanctioned white hat hacking activities by incentivizing hackers to rather go for the guaranteed cash bounties.
It’s no wonder that companies are willing to offer bug bounties worth hundreds of thousands of dollars. Software giants Microsoft and Apple’s ongoing bug bounty programs offer payouts of up to $250,000 and $1,000,000, respectively.
The concept of running a bug bounty program is certainly not a new one, particularly in the cybersecurity space. On top of big tech companies, even Netflix, HBO, and others have launched bug bounty programs. However, it’s almost unheard of for the government to get involved with these types of schemes.
This particular bounty program, called the “Hack DHS program,” is from the Department of Homeland Security (DHS) and will offer anywhere between $500 and $5,000, depending on the severity of the security vulnerability.
“It’s a scalable amount of money, but we consider that quite significant,” Homeland Security Secretary Alejandro Mayorkas announced Tuesday, speaking at the Bloomberg Technology Summit. “We’re really investing a great deal of money, as well as attention and focus, on this program.”
This news comes on the back of a revelation from US authorities that one of the most widespread vulnerabilities to date has been discovered, potentially affecting millions of devices globally.
“This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious. We expect the vulnerability to be widely exploited by sophisticated actors, and we have limited time to take necessary steps in order to reduce the likelihood of damaging incidents.”
- Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA).
The vulnerability is found in the Java-based Log4j software. This software is ubiquitously used by enterprises and tech firms to log app information. The vulnerability is relatively easy to exploit and can give threat actors access to an organization’s computer server and entire network.
The Apache Software Foundation, which manages the Log4j software, has released a security fix for organizations to apply. Companies like AWS and IBM have also released fixes to patch this vulnerability in their products and services.
The DHS aims to verify reported bugs within 48 hours and either remediate or create a remediation plan within 15 days. Their findings and results will help inform possible future bug bounty programs.
It’s hoped that this new initiative will somewhat level the playing field in favor of the authorities who have been overwhelmed with numerous high-profile incidents over the last few years.
References
US government to offer up to $5,000 ‘bounty’ to hackers to identify cyber vulnerabilities
US warns hundreds of millions of devices at risk from newly revealed software vulnerability
