ELI5: What are Bug Bounty Programs?
Companies pay friendly people a reward for finding holes in their security. It is better to pay a friend to find the weak spot than let a stranger find it first.
Definition
Bug bounty programs are formal, incentive-based programs through which organizations invite external security researchers to find and responsibly disclose vulnerabilities in their systems and applications in exchange for financial rewards or recognition. They extend the organization’s testing coverage by leveraging the skills of the global security research community.
Key Details
- Researchers are given defined scope (which systems are in-scope) and rules of engagement
- Rewards (bounties) are typically tiered based on vulnerability severity (using CVSS or similar)
- Platforms like HackerOne, Bugcrowd, and Synack facilitate bug bounty program management
- Complement formal penetration tests by providing continuous, ongoing testing
- Organizations must have a vulnerability disclosure policy and a process to remediate findings
Connections
- Parent: penetration-testing — bug bounties are a continuous, crowdsourced form of security testing
- See also: rules-of-engagement-roe