Code is vulnerable. You’re probably aware of the vulnerability crisis in Log4j, which the Washington Post calls “the most serious security breach ever.” That vulnerability was discovered as part of Minecraft’s bug bounty program—a deal that gives individuals recognition and payment to find and report software bugs, particularly security exploits. This week, there is news that US Government is launching a bug bounty program, and Meta (Facebook) is offering bounties for those who find Facebook user data posted openly on the web. How else might bounty programs help improve the tech world?
- New “Hack DHS” program will pay up to $5,000 for discovered vulnerabilities [ZDNet] “The hope for programs like this one is to privately discover and patch holes without relying on external security researchers or random discoverers to do the scrupulous thing and inform the vendor/agency before releasing a vulnerability into the wild.
- Teen hacker scoops $4,500 bug bounty for Facebook flaw that allowed attackers to unmask page admins [The Daily Swig] “Many celebrities and huge personalities operate through Facebook pages, so if their personal Facebook account is disclosed then it’s like getting their personal phone numbers, which is a great problem to their privacy.”
- Meta expands bug bounty program to reward discoveries of scraped data [TechCrunch] “Researchers will be rewarded for finding ‘unprotected or openly public databases containing at least 100,000 unique Facebook user records with personally identifiable information or sensitive data.’ Instead of its usual payouts though, Meta says it will donate to a charity chosen by the researcher in order not to incentivize the publishing of scraped data.”
- An Ethics Bounty System Could Help Clean Up the Web [Wired] “For users, a bounty system would encourage people to search for ethics violations and report them more quickly. For companies, this system could help them locate and address problems before they cause harm to more customers, generate negative press, and potentially destabilize governments.”
From the Ohio Web Library:
- Allison, Peter Ray. “Debugging Bug Bounty Programmes: Bug Bounty Programmes Have Become Popular, but Poor Programme Management Can Lead to Development Teams Becoming Overwhelmed and Bugs Being Missed.” Computer Weekly, June 2019, pp. 21–26.
- Bock, Lisa. “Bug bounty white hack hacking.” Ethical Hacking: Vulnerability Analysis. 28 April 2021.
- Kerner, Sean Michael. “Bug Bounty Hackers Make More Money Than Average Salaries, Report Finds.” EWeek, Jan. 2018, p. 1.