Should your business start a bug bounty program?

Hacker's hand hovering over an illuminated MacBook keyboard - an image denoting hacking
(Image credit: Getty Images)

Companies of all sizes are starting to see the benefits of bug bounty programs. Big tech firms including Facebook, Google, Microsoft, and Apple have such a program in place, while ChatGPT owner OpenAI recently unveiled such a scheme. 

At a time when breaches are hitting businesses of all sizes, adversaries are constantly probing for security weaknesses through which to attack. Bug bounties help to address this issue at the source, with researchers finding vulnerabilities before they can be used in real-life attack scenarios.

Bug bounty prizes can be huge, with firms such as Google paying out as much as $600,000 to those who find serious holes in its products. While it might seem like a big outlay, advocates point out that the expense is still smaller than regulatory fines and reputational damage caused by a data breach.

What different types of bug bounty program are there?

Bug bounty programs are typically either public or private. “A public bug bounty is usually listed on sites such as HackerOne and Bugcrowd, or in some cases on the company’s own website,” Joshua Hickling, managing consultant at Pentest People, explains.

A private bug bounty is only joinable via invitation, usually based on the researcher’s reputation. For example, those able to find pertinent, exploitable bugs consistently will be invited to private programs, Hickling says.

An organization sets the rules of engagement for its bug bounty program, including assets in and out of scope, types of vulnerabilities, permitted testing methodologies, and reward structure. “Hackers can test for vulnerabilities that elude security teams and cannot be discovered by automated scanning tools,” says Kayla Underkoffler, lead security technologist at HackerOne. 


Whitepaper cover with title and logo over image of female worker wearing glasses with digital screens reflected in them and workstations in the background

(Image credit: Zscaler)

The threat prevention buyer's guide

Find the best advanced and file-based threat protection solution for you


Among the advantages, programs can be effective very quickly. According to Underkoffler, over 75% of new bug bounty programs on the HackerOne platform receive their first valid vulnerability report within 24 hours.

They can benefit firms of any size, but larger organizations that operate complex networks or handle large amounts of sensitive data are more likely to get value out of a program, says Cezary Cerekwicki, head of product security at browser maker Opera. “The larger an organization and a network, the greater the danger that vulnerabilities might go undetected.”

Large firms are a bigger target for adversaries, so a bug bounty offer might even persuade “unethical hackers” to probe for weaknesses with permission, says Leon Teale, a senior penetration tester at IT Governance. “In exchange, they could receive gifts, cash, notoriety, or honorable mentions,” he suggests.

Michael Adams, CISO at Zoom says the company’s bug bounty program hosted on the HackerOne platform helps the firm “proactively mitigate risk and create a safer environment for our customers”. 

It can be challenging for companies to identify edge-case vulnerabilities or anomalies that only occur in certain circumstances, says Adams. “That’s where the ethical hacker community can perform a vital function in the continuous testing and probing of technologies. In many cases, they can help organizations save time and money by identifying certain security issues before they become a bigger problem.”

Are bug bounty programs worth the cost?

The cost of running a bug bounty program can vary, but experts say the outlay is worth it. There are two components to the cost: the first is the platform fee, if you use one, with firms such as Bugcrowd or HackerOne offering the service a SaaS subscription model.

“This is what we charge for connecting organizations that want to run a program with ethical hackers, triaging the results and verifying they are legitimate vulnerabilities – as well as handling payments to the hacker community,” says Dave Gerry, CEO of bug bounty platform Bugcrowd. 

The second cost is the bounties themselves – which according to Gerry, is set by the market. “If a company’s bounty rates are too low, it will struggle to attract ethical hackers to work on the program.”

You do not have to pay, with some companies purely offering an honorable mention or some “swag” in return, says Teale. “Offering a ‘kudos’ can still be helpful to those who would like to gain recognition through this exposure – although paid bounties will always attract more testers,” he says.

The value of the bounty is usually paid based upon the seriousness of the issue, with low severity flaws seeing bounties of anywhere from $0 to $50 and critical issues in some cases exceeding $100,000, says Hickling. “If a vulnerability is identified which could result in the leak of personally identifiable information, paying a $100,000 bounty far outweighs the potential GDPR fines a business could be hit with.”

How to implement a program in your business

The benefits of having a bug country program are clear, but there can be challenges when implementing one. 

Scoping is important, says Gerry. “To make them manageable, projects are usually targeted at a specific online asset that has already been tested internally. This prevents organizations from exposing themselves to unexpectedly high levels of cost and stops them from being over-run with reports of vulnerabilities.”

It’s also important that firms are ready and able to take remedial action when flaws are discovered, he adds. At the same time, it’s key to match the skills of ethical hackers with the type of assets to be tested, he says. 

But it can be difficult to identify the true impact of vulnerabilities. While an outside researcher might believe they’ve identified a major flaw, companies often have many defenses and mitigations already in place that are not shared externally, says Adams. 

With this in mind, Zoom is rolling out a “Vulnerability Impact Scoring System” to measure the impact of flaws, and pay researchers for the best bugs. 

Before introducing a bug bounty program, it’s important to consider the business objectives, says Adams. “These will help determine the scope of the program, whether it runs as private or public, and the rewards system. It may attract a range of participants from beginner bug bounty hunters to full-time professionals.”

Kate O'Flaherty

Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.