Jan 19, 201609:11 AMLegal Login
with Mindi Giftos
Bug bounty programs: Hacking for good or evil?
(page 1 of 2)
Obtaining cyber insurance, hiring trusted staff to ensure the safety of your information technology (IT) infrastructure, and adopting cutting edge security measures are just a few of the preemptive steps essential to preventing data breaches today. But even after these steps are taken, your company may still be vulnerable. “Bug bounty programs” are an additional tool companies can use to understand IT weaknesses before they become devastating breaches. These programs are occasionally abused, however, so it is important for every company to be aware of what these programs offer and what risks they present.
What is a bug bounty program?
Bug bounty programs are incentive programs offered by companies through which outside IT security professionals can receive recognition and, in most cases, compensation, for identifying and reporting errors or bugs that create system vulnerabilities. Essentially, individuals with the tools to hack IT systems find the vulnerabilities, but instead of exploiting those vulnerabilities, they report them to the company involved and often offer to assist in remediating the problem. The advantage of these programs is allowing companies to identify otherwise undiagnosed security problems before they are actually exploited by hackers and become public.
The first bug bounty program was started by Netscape in 1996. These programs have been gaining more and more traction recently with the looming threat of data breaches. Several companies throughout the world, such as Facebook and Google, take advantage of the benefits of bug bounty programs. While initially incentives for reporting bugs was relatively minimal, today many companies offer generous rewards to bug bounty hackers for finding system issues. For example, Google offers rewards ranging from $500 to more than $3,000 for the identification of vulnerabilities in Google’s operating system that are found in accordance with its bug bounty program guidelines.
What if my company doesn’t offer incentives, but I am contacted?
Many companies today do not have formal bug bounty programs or guidelines. However, this fact has not stopped independent “security professionals” from trying to exploit those systems in an attempt to gain a financial advantage.
Many companies are finding themselves in the uncomfortable predicament of discovering a data breach incident followed by a letter from a self-proclaimed bug bounty security professional. Those letters typically indicate that while data has been accessed and taken, it remains safe. The individual then requests $5,000 to $25,000 for finding the problem. They also typically offer to assist in remediating the problem.
In these instances, the bug bounty program appears to be more of an extortion attempt than a benevolent hand in the fight against hackers. This is particularly unsettling where the “security professional” has taken personally identifiable information, such as credit card or Social Security numbers, and threatens to publicize the security breach or sell the information to the highest bidder if the hacked company does not pony up to pay the demanded amount.