These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse and data breaches. Bug bounty programs have been implemented by a large number of organizations, including Mozilla,[4][5] Facebook,[6] Yahoo!,[7] Google,[8] Reddit,[9] Square,[10] Microsoft,[11][12] and the Internet bug bounty.[13]
Companies outside the technology industry, including traditionally conservative organizations like the United States Department of Defense, have started using bug bounty programs.[14] The Pentagon's use of bug bounty programs is part of a posture shift that has seen several US Government Agencies reverse course from threatening white hat hackers with legal recourse to inviting them to participate as part of a comprehensive vulnerability disclosure framework or policy.[15]
History[edit]
Hunter and Ready initiated the first known bug bounty program in 1981 for their Versatile Real-Time Executive operating system. Anyone who found and reported a bug would receive a Volkswagen Beetle (a.k.a. Bug) in return.[16]
On October 10, 1995, Netscape Communications Corporation launched a "Bugs Bounty" program for the beta version of its Netscape Navigator 2.0 browser.[17][18][19]
Geography[edit]
Though submissions for bug bounties come from many countries, a handful of countries tend to submit more bugs and receive more bounties. The United States and India are the top countries from which researchers submit bugs.[32] India, which has either the first or second largest number of bug hunters in the world, depending on which report one cites,[33] topped the Facebook Bug Bounty Program with the largest number of valid bugs.[34] In 2017, India had the highest number of valid submissions to Facebook's Whitehat program, followed by the United States and Trinidad and Tobago.[34]
Notable programs[edit]
In October 2013, Google announced a major change to its Vulnerability Reward Program. Previously, it had been a bug bounty program covering many Google products. With the shift, however, the program was broadened to include a selection of high-risk free software applications and libraries, primarily those designed for networking or for low-level operating system functionality. Submissions that Google found adherent to the guidelines would be eligible for rewards ranging from $500 to $3,133.70.[35][36] In 2017, Google expanded their program to cover vulnerabilities found in applications developed by third parties and made available through the Google Play Store.[37] Google's Vulnerability Rewards Program now includes vulnerabilities found in Google, Google Cloud, Android, and Chrome products, and rewards up to $31,337.[38]
Microsoft and Facebook partnered in November 2013 to sponsor The Internet Bug Bounty, a program to offer rewards for reporting hacks and exploits for a broad range of Internet-related software.[39] In 2017, GitHub and The Ford Foundation sponsored the initiative, which is managed by volunteers including from Uber, Microsoft,[40] Adobe, HackerOne, GitHub, NCC Group, and Signal Sciences.[41] The software covered by the IBB includes Adobe Flash, Python, Ruby, PHP, Django, Ruby on Rails, Perl, OpenSSL, Nginx, Apache HTTP Server, and Phabricator. In addition, the program offered rewards for broader exploits affecting widely used operating systems and web browsers, as well as the Internet as a whole.[42]
In March 2016, Peter Cook announced the US federal government's first bug bounty program, the "Hack the Pentagon" program.[43] The program ran from April 18 to May 12 and over 1,400 people submitted 138 unique valid reports through HackerOne. In total, the US Department of Defense paid out $71,200.[44]
In 2019, The European Commission announced the EU-FOSSA 2 bug bounty initiative for popular open source projects, including Drupal, Apache Tomcat, VLC, 7-zip and KeePass. The project was co-facilitated by European bug bounty platform Intigriti and HackerOne and resulted in a total of 195 unique and valid vulnerabilities.[45]
Open Bug Bounty is a crowd security bug bounty program established in 2014 that allows individuals to post website and web application security vulnerabilities in the hope of a reward from affected website operators.[46]