Corporate initiatives that pay researchers who discover vulnerabilities in their software – commonly called bug bounty programs – are only becoming more popular, and researchers from the University of California, Berkeley, recently published a study they hope will serve as a template for vendors looking to improve or launch their own efforts.
In their study, researchers Matthew Finifter, Devdatta Akhawe and David Wagner focus on software, specifically Google Chrome and Mozilla Firefox. Website VRPs, which Google also offers, are a newer and expanding market in the bug bounty industry.
The study found that the Chrome’s rewards program has doled out roughly $580,000 since it was kicked off more than three years ago, resulting in 501 separate rewards. The Firefox program has paid out about $570,000 over the past three years, which covers 190 bounties. In 2004, Mozilla became the first tech company to institute such a program.
All told, about a quarter of all the vulnerabilities that were publicly disclosed in security advisories from these two companies were discovered the bounty programs. This led the study’s authors to assert that the programs have been a success – and they could serve as a viable alternative to contracting with professionals or hiring full-time staff to find vulnerabilities.
“Both programs appear economically efficient, comparing favorably to the cost of hiring full-time security researchers,” they wrote.
Jeremiah Grossman, co-founder and CTO of WhiteHat Security, told SCMagazine.com that even though his company specializes in website vulnerability detection, he supports rewards programs.
“It is a great way to crowdsource vulnerability assessment,” he said.
But he said downsides include the cost to manage the programs, explaining one workaround is to partner up with third-party bounty programs, such as TippingPoint’s Zero Day Initiative (ZDI) or Bugcrowd.
That may explain why some companies are resistant to paying researchers, such as Adobe and Apple, which have found other ways to thank researchers, including points systems. Microsoft was also a longtime holdout, but last month announced a limited bug bounty program. Other companies that have adopted monetary reward programs include PayPal, AT&T, Samsung, Facebook, Etsy, Cryptocat, LaunchKey and Barracuda Labs.
In addition, there’s always the concern that the programs will lose out to higher bidders, including on the black market.
According to the study, just three Chrome contributors – out of 82 – reported earning more than $80,000 over the past three years studied, and only five more reported earning more than $20,000. Out of 70 Firefox contributors, only one reported making more than $141,000 across three years, while five others reported earning more than $20,000.
And researchers such as Dino Dai Zovi, who famously helped launch the “No More Free Bugs” campaign in 2009, said companies should first focus on building resilient products before they go to market.
“For most products, security reviews by pros should happen before product is shipped and bug bounties after,” he tweeted.