The Weird, Hyper-Incentivized World Of “Bug Bounties”

Hackers can be your company’s greatest resource. Here’s how to harness their power without inviting actual attacks.

The Weird, Hyper-Incentivized World Of “Bug Bounties”
[Image: Flickr user Rojer]

When Brazilian computer security expert Reginald Silva found a security hole in Facebook’s servers, he quickly let the company know. And Facebook didn’t just thank him–the social networking giant paid him a $33,500 reward, what the company said in a blog post is the largest single payout yet in its ongoing bug bounty program.


Bug bounties–rewards offered to anyone who finds critical defects in software–have existed at least since 1995, when Netscape cash prizes to anyone finding “significant security bugs” in Netscape Navigator 2.0. Mozilla, Netscape’s successors in the browser wars, announced its own bounty program for Firefox and other products in 2004.

And since then, companies including AT&T, Etsy, Facebook, Google, Samsung, and Yahoo have all launched formal programs to offer cash rewards and public recognition for bug finders, according to a list maintained at Bug bounties help motivate hackers to disclose bugs responsibly rather than sell security holes on the black market, advocates say.

“Over the last two years, the Facebook Security Team has rolled out a successful whitehat program, paying researchers well in excess of 1 million dollars for helping us make our site more secure,” wrote Facebook chief security officer Joe Sullivan in a post in August.

Facebook security engineer Collin Greene advises companies interested in starting a bug bounty program to be prepared to respond to bug reports quickly.

“Also, don’t underestimate the workload,” he says via email. “We received over 16,000 submissions in 2013, and each one was reviewed in depth by a security engineer. It’s a lot of work, but it can also be incredibly rewarding if done well.”

Researchers from the University of California at Berkeley who studied rewards offered by Mozilla and Google for bugs in Firefox and Chrome found in a paper presented last year that bug bounties can be more cost-effective than hiring security consultants to stamp out vulnerabilities.


They also offered some suggestions for companies interested in launching their own bounty programs, after estimating that Google’s bounty program uncovered about 2.6 times as many bugs as Mozilla’s over a three-year period, with the two companies each spending just under $600,000 on bounties.

The researchers said Google likely benefited from publicity for its bounty program, as boosted by its annual Pwnium challenge, and that researchers appreciated the company’s consistently speedy approach to patching bugs. And, they said, Google’s program offered a tiered system of rewards, with bigger payouts for more sophisticated bugs, which was more exciting for bug-hunters than Mozilla’s standardized $3,000 payouts.

“This makes sense with an understanding of incentives in lotteries,” the researchers wrote. “The larger the potential prize amount, the more willing participants are to accept a lower expected return, which, for [bug bounty programs], means the program can expect more participants.”

For companies who want to offer a bounty program but aren’t sure where to start, one startup called Bugcrowd advertises they’ll handle the details of vetting researchers, verifying bugs, and paying out rewards.

“Bugcrowd does the grunt work while you get back to your day job,” the company says.

To some extent, tech companies are caught in a bidding war with black-market exploit buyers willing to pay for backdoors into popular apps and websites for their own nefarious purposes. In a November blog post announcing an expansion of Microsoft’s bounty program, senior security strategist Katie Moussouris said the program should help in “cutting down the time that exploits and vulnerabilities purchased on the black market remain useful.”


And the Berkeley researchers pointed out that both Mozilla and Google have increased their bounties for browser security bugs.

“Doing so increases publicity, entices participants, and signals that a vendor is betting that their product has become more secure over time,” they wrote.

But a fair share of the comments announcing Facebook’s largest-ever payout to Silva for the bug he found, which exploited how Facebook processed XML data related to the OpenID shared sign-in system, argued he should have received far more.

In his own blog post, Silva jokingly cited a Bloomberg story where Facebook security director Ryan McGeehan pledged that even “a million-dollar bug” would be paid for under the program.

“Unfortunately, I didn’t get even close to the one-million dollar payout cited above,” Silva wrote.