Bug Bounty Programs: Who Benefits From Them?
A few weeks ago we shared a story that had emerged on numerous news outlets, about a hacker who identified a serious bug on the Facebook site (check the original story out here). The hacker felt that he should have been entitled to a “bounty” reward from Facebook for notifying them about the bug (up to $500), but was denied the bounty because Facebook claimed he disobeyed their policy rules when he showed them the bug. Everything did work out well for him in the end though, with him receiving a pretty nice donation from his fellow hacker community.
I don’t really want to get in to the details of this story in much more depth since that has already been done extensively by others, but I do want to discuss an important topic that has arisen from this story. There is a growing level of reliance that technology companies have on hackers and testers outside of the company, to test and reveal any vulnerabilities their software may have. Facebook’s bug bounty program offers up to $500 to any outside programmer who can identify and notify them about any bugs that Facebook’s own programmers may have missed, and many other big tech companies like Google, Microsoft, and Samsung have similar bounty programs in place as well.
This trend is a bit of a far cry from the type of relationship that used to exist between software companies and outside hackers. Several years ago, many companies would have viewed hackers as little more than people aiming to exploit a security hole to steal customer information, or to harm the company in any way they could. Granted there are still MANY such people in the world today, but if programs like these prove anything, it is that not all hackers are quite so malicious. In fact, to date millions of dollars have been paid by both Google and Facebook to outside hackers for finding security vulnerabilities in their software, and they are not alone (Source: TechCrunch).
So what does this all mean at the end of the day? Who benefits? I believe that these bug bounty programs ultimately allow everyone to win, and here’s how:
The tech company: Allowing outside testers to expose potential security vulnerabilities that a company’s internal programmers may have missed is an absolute positive for the companies themselves, as it ensures that their software is much less likely to be compromised in the future. In addition, programs like these help to establish a sense of rapport between the company itself and outside hackers (better to work together than against each other!).
The hackers: In addition to the very obvious benefit of getting paid for their work, outside programmers who participate in these programs can also receive a large amount of recognition from some of the biggest players in the tech industry. With this recognition could also come potential career opportunities for hackers who take the time to prove themselves, and their programming prowess.
The customer (you and me): At the end of the day, the major tech companies (ALL companies for that matter) exist to serve its customers; the very reason the companies exist, and the reason for having these bug bounty programs, all focuses on the experience that customers have when they use their software. If there is any program or initiative a company can take that will help ensure that their software is safe, secure, and usable for their customers, then that is definitely worth engaging.
If you have any thoughts or opinion on either the Facebook story from last month, or on bug bounty programs in general, we’d love to hear them! Feel free to leave a comment below, or touch base privately on our Contact page.
Share this article with your friends!