Vulnerability Management

DefCon: Bug bounty programs continue to evolve

Hunting for vulnerabilities has come a long way.

During a session entitled “Bug Bounty Programs Evolution” at DefCon 22 in Las Vegas, Nir Valtman, enterprise security architect of NCR Retail, said that the first example of a bug bounty program came in 1995 when Netscape sought to ensure high quality software.

Back then, Netscape offered branded mugs and shirts as rewards; today, companies such as Mozilla offer $10,000 for reporting certain vulnerabilities, according to Valtman. 

Some problems include sensitive data leakage, denial-of-service, and taking exploits to underground markets for more money, Valtman said. A lack of transparency with companies can also be frustrating, he added.

Next generation bug bounty programs should find a way to allow penetration tests, but prevent malicious exploitation, Valtman said, adding that programs could broaden to engage attorneys, business analysts and others to uncover a wider range of flaws.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.