Bug Bounties: The Good, the Bad, and the Frankly Ridiculous Ways to Do It

The concept of bug bounties has come a long way since Netscape launched the first commercial bug bounty program thirty years ago. What started as a simple idea to reward security researchers for finding vulnerabilities in software has evolved into a complex and multifaceted approach, with varying degrees of effectiveness depending on the company's size, focus, and resources.

Commercial bug bounties have spread slowly at first, but the idea was initially fraught with danger for researchers. Some companies sued outsiders who found problems with their software, leading to a culture of fear and intimidation. However, in 2005, Internet Security Systems (ISS) researcher Michael Lynn and the organizers of the Black Hat security conference in Las Vegas were served with a restraining order over his planned talk on serious flaws in Cisco's IOS router software. Lynn quit ISS and delivered the presentation anyway, while Cisco reps spent eight hours physically tearing pages describing the talk out of the conference handbook.

But that same year, Tipping Point started the Zero Day Initiative, paying for high-impact vulnerabilities with working proof-of-concepts. The practice went into turbo mode when several tech giants picked up the practice, led by Google in 2010, Facebook a year later, and then the biggie – Microsoft – in 2013.

Sorting It Out In-House or Outsourcing?

Katie Moussouris, who convinced Microsoft to go down the bug bounty route after a three-year fight, ran the Pentagon's first hacking competition, and was chief policy officer at HackerOne. She's now the CEO of Luta Security, a bug bounty consultancy. "If you are somebody like an Apple, Google, or Microsoft, where the sensitivity of your bugs is so high, you do not want [third-party] platforms triating your bugs," she told us.

"You also don't really want them housing the bugs at all. Any vulnerability in that third-party platform exposes your bugs." Larger organizations have a number of other advantages, she explained. Most bug bounty programs throw up a huge number of false positives or minor flaws that aren't really serious, and the biggest organizations, or those with a security bent, have the IT staff to sort out the wheat from the chaff.

In addition, they have legal departments to handle the non-disclosure agreements that are an essential part of bug bounty programs. With Microsoft, she explained, the company originally set up a pilot called Project Tango (because it takes two to) where individual researchers would work for Redmond under an NDA not to release findings until Microsoft had checked them and issued a fix.

Hiring Dedicated Bug Finders?

But hiring dedicated bug finders isn't really an option for smaller software companies that don't have the budget. "It's very rare that you have an entirely research-focused security person, you want them doing other things," Moussouris said.

"These people might not be programmers. They might not be able to tell the developers how to prevent those bugs in the future. They might just be really good at finding them." There's also a cultural issue, she said, since not everyone in the field wants to work in a corporate environment with endless meetings and team sessions.

The Alternative: Commercial Platforms

Increasingly, companies are hiring skilled pentesters on a per-contract basis for specific jobs. This solves the NDA issue, since non-disclosure would be part of the contract, the researcher gets money without having to make it a full-time career.

The other alternative is to use a commercial platform like HackerOne or Bugcrowd. For smaller companies, or those less focused on security, this provides a way to get bugs in, screen them, and pay the finder's fee with minimal fuss, Moussouris said.

Motivation for Hunters: Fortune, Fame, and Fixing Things

One common misconception is that flaw finders are just in it for the money, but it's more complicated than that. Money is a factor, of course, with many researchers earning significant amounts from bug bounties.

However, fame and the desire to get things fixed are also strong motivators for many security researchers. "The first hacker to make a million dollars total on HackerOne was asked 'did you just find a bunch of criticals? He's like, no, I don't look for criticals at all, they're too hard and take too long. I go for automation to get more efficient low- and medium-severity bugs,'" Moussouris opined.

The Future of Bug Bounties

As the industry continues to evolve, it's clear that bug bounties will play an increasingly important role in the security landscape. However, there are also concerns about the impact of AI on the field, with machine-generated flaws and reporting flooding out human analysis.

Mikko Hyppönen pointed out at this year's Black Hat security shindig that there's been a huge increase in volume of reports, often written by script kiddies with prompt skills. "They call it AI slop," Moussouris said. "It creates a lot of noise for maintainers, especially in the open source world, who can't afford the triage services."

But despite these challenges, many researchers remain optimistic about the future of bug bounties. As HackerOne's Sprague noted, two-thirds of the reports they are getting these days "end up being valid vulnerabilities." And with the development of AI moderation tools, it may be possible to filter out spam and prioritize high-quality submissions.

Will AI Eclipse the Human Hacker?

This hack doubts it. LLMs work on past information, and the intuitive leaps needed to spot serious problems appear to be beyond it, for now. As researcher Kara Sprague said, "The global independent researcher community is a phenomenal source of talent." With continued investment in automation and AI, it's possible that bug hunters will become more efficient and effective, but also potentially less human.