Hackers in the Age of Bounty Programs

The popular culture has depicted hackers as evildoers in movies, in TV series and even in the primetime news. However, the commodification of technology-enabled our modern environment of patch-cycles and hotfix treadmills. We use bloated software every day, and the size of the software is not decreasing, it followed the trend of Moore’s Law for many decades.

Today, the real world of technology is highly dependent on white hat hackers in order to keep their platforms secure. Facebook, Microsoft, Google, and even the almighty Apple are generously paying hackers large amounts of money, usually in the six-digits in order to discover loopholes and flaws in their software. There is a trend towards the normalization of the term hacker, to include not only the knowledgeable cybercriminals, but also those that are highly skilled in IT, which helps fix security issues.

The negative image of being a hacker remains, but this time around – white hat hackers are hitting two birds with one stone. Companies are starting to accept that they cannot keep their software secure by themselves alone, they need external eyes in order to pass a certain acceptable quality of their products and services.

Even in the age of cybersecurity news, there are still many companies that missed the train, the importance of penetration testing and ethical hacking activities. Ethical hackers are self-taught professionals, that loves computers and technology, with the goal of helping companies to harden their cybersecurity.

Vulnerabilities in software, hardware and firmware are money waiting to be earned. That is both true for a black hat and white hat hackers. Blackhat hackers earn a lot of money from the profits of their ransomware, phishing and cyberjacking activities.

“We have long enjoyed a close relationship with the security research community. To honor all the cutting-edge external contributions that help us keep our users safe, we maintain a Vulnerability Reward Program for Google-owned web properties, running continuously since November 2010. Note that the scope of the program is limited to technical vulnerabilities in Google-owned browser extensions, mobile, and web applications; please do not try to sneak into Google offices, attempt phishing attacks against our employees, and so on,” explained Google in their official page, discussing their software bounty program.

Facebook on their part, has their own take with the bounty program: “If you believe you have found a security vulnerability on Facebook (or another member of the Facebook family of companies), we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We recognize and reward security researchers who help us keep people safe by reporting vulnerabilities in our services. Monetary bounties for such reports are entirely at Facebook’s discretion, based on risk, impact, and other factors.”

Microsoft has been running a bounty program for five years now: “Microsoft offers direct payments in exchange for reporting certain types of vulnerabilities and exploitation techniques. Since June 2013, we have also offered bounties for certain classes of vulnerabilities reported to us. These bounty programs help Microsoft harness the collective intelligence and capabilities of security researchers to help protect customers. Some bounty offerings are time limited so please refer to the table below for complete information on each program.”