Data security officers typically look for security risks by monitoring reports from automated security systems, listening to employees’ reports of security issues, and/or auditing IT systems. Some security officers, however, rely on a somewhat unusual source – the public. They look to clients, customers, consumers, academics, researchers, amateur hackers, and not-so-amateur hackers to bring security vulnerabilities to their attention. Like many industries that have embraced crowdsourcing, the idea is that the more people that are involved in finding bugs and security flaws the better a company can make its security.
There is a great deal of debate about the merits of listening to the security concerns of people outside of an organization. On one end of the spectrum, some organizations refuse to discuss any aspect of their security with the public. On the other end of the spectrum, organizations proactively encourage the public to report security vulnerabilities by paying well-meaning hackers (usually called “white hat hackers” or “independent researchers”) to report problems. While these organizations view “bounty” programs as commonsense crowdsourcing, others view the concept of paying someone who has hacked a company’s system as extortion.
As more companies move to establish bounty programs third parties have begun to offer platforms or frameworks to help organize the programs. Some frameworks provide a forum in which companies can communicate with hackers, a method to facilitate payments to hackers, and guidelines for hackers to follow when identifying vulnerabilities and reporting them to participating companies. Other platforms promote invitation-only communities to test a company’s security. For many companies this provides a middle ground that permits them to take advantage of crowd sourcing without inviting the world to test their gates.
The following provides a snapshot of information on bounty programs as well as a checklist for organizations that are considering starting a program, or are evaluating the structure of their existing program.
The number of organizations that have established data security bounty programs.1
The percentage of bounty programs that pay a bounty or provide some sort of reward (e.g., swayg).2
Maximum reward offered through Apple’s bounty program.3
$100 to $25,000
Typical range of rewards offered for programs that pay monetary compensation.
If you do not enact a bounty program:
If you do enact a bounty program:
1. Statistics from Vulnerability Laboratory, Bug Bounties, Rewards, and Acknowledgements, http://vulnerability-lab.com/list-of-bug-bounty-programs.php (last checked Dec. 26, 2017).
2. Based upon review of data obtained from vulnerability labs, infra.
3. Mikey Campbell, “Apple’s Bug Bounty Program Hindered by Low Payouts, Reports Say,” ApplieInsider.com (July 6, 2017) available at http://appleinsider.com/articles/17/07/06/apples-bug-bounty-program-hindered-by-low-payouts-report-says (last checked Dec. 26, 2017).