New Zealand

How Do Bug Bounty and Security Vulnerability Disclosure Programs Work?

If you are into casino games, there is one more way to earn money from them: you can also find the errors they have and report them. For example, if you find an error while playing the Fire Joker slot free version, you can report it to the developer and get some payment. Of course, online slot machines are not the only way to do this: you can do the same for almost any digital software and service. There are people who earn their living this way, and thanks to them, we can get a smooth and safe experience as end-users. Their work is called “bug bounty” or “security vulnerability disclosure”, and contrary to popular belief, these are not the same things. So how do these programs work and what do they offer? Below you can find answers to all these questions.

What Is a Bug Bounty and Security Vulnerability Disclosure Program?

We should start with the basics. Let’s say you started to offer a digital service by making a big investment. In internal tests, you can detect some problems and vulnerabilities in this service, but some problems can only be detected after the service has been used by a large audience. In other words, even if you do your part, there will certainly be problems that you cannot detect before the service is offered to a wide audience.

In this case, you should ask your users for help: if they report any problems they encounter, you can fix them. So, how do you encourage users to do this? Well, you can encourage them simply by offering a reward for their reports. This is the basic logic behind Bug Bounty and Security Vulnerability Disclosure programs: both encourage users to find and report problems with a service or a product.

The Difference Between Bug Bounty and Security Vulnerability Disclosure

However, although both have the same purpose, they differ from each other in the way they function. Bug Bounty is generally open to all users. The company that offers it gives a reward for reporting bugs, and the amount of this award depends on how serious a problem is. For example, Apple’s Bug Bounty program is open to everyone, and rewards can range from $5,000 up to $1,000,000. If we give some examples:

  • Apple pays $100,000 if bugs that make it possible to access iCloud accounts without authorization are reported.
  • If you find a bug that enables data extraction from a locked iOS device, the amount of the reward will be 250,000 USD.
  • If you detect a bug that allows full kernel execution, you can earn $1 million.

Bug bounties are more common than security vulnerability programs, and almost every big company has them. You can see some examples below:

BUG BOUNTY OWNER MIN. PAYOUT MAX. PAYOUT
Facebook 500 USD No max limit
GitHub 617 USD 30,000 USD
Google 100 USD 31,337 USD (and more)
Intel 500 USD 100,000 USD
Microsoft No minimum limit 250,000 USD
Mozilla 100 USD 10,000 USD (and more)

 

You do not need to be a “hacker” or a technical expert to win a reward from a bug bounty program. Even end users can earn a reward for reporting simple errors. This and the fact that it is open to everyone is the most important thing that distinguishes it from security vulnerability programs.

In this context, it is possible to say that security vulnerability programs (SVP) are much more “serious.” Let’s give a simple example and imagine that you are using a newly released router.

  • An ordinary end user can report a problem with this router and receive a reward from the bug bounty program.
  • A hacker can infiltrate this router and take control of all devices connected to the home network. If he/she reports this serious vulnerability via SVP, he/she will both earn an award and make that router more secure.

SVP is generally not public and mostly offers an anonymous reporting option. This is because the actions taken to detect the relevant vulnerability are often “illegal.” Let’s go back to the example above: even if it is in good faith, the person who infiltrated that router actually committed a crime. He may choose not to report this vulnerability for fear of punishment. Whereas, if you give him an anonymous reporting option, he can report the vulnerability without worrying about his identity being exposed.

As can be seen from this description, SVP is a program that often involves people known as “white hat hackers.” Companies also organize open-access SVPs from time to time, but their rules include more than simply reporting a bug. For example, you are asked to hack a certain system within a certain period of time and explain in detail the vulnerability you used. SVP is a program for more serious bugs and vulnerabilities that require expertise to detect. We can summarize the difference between the two programs as follows:

  • With Bug Bounty, you know which bug is fixed, and you can even find out exactly what the bug was.
  • You often do not know about bugs fixed with SVP: the company involved just issues a security update, closing the bug and giving no details.

Both programs allow us to use more secure programs and products. Both are an example of a “win-win” situation: the company makes its product or service safer, and those who report issues get a reward.

Back to top button