Bug bounties: The good, the bad, and the frankly ridiculous
Briefly

Bug bounty programs began with Netscape thirty years ago and have expanded into many commercial and government variants. The model awards researchers for responsibly disclosed vulnerabilities, but programs now use diverse payment methods and platforms. Early adoption was slow and sometimes risky for researchers, with legal threats and suppressed disclosures. The Zero Day Initiative introduced paid purchases of high‑impact flaws with proofs of concept, and major tech companies accelerated adoption in the 2010s. Organizations choose between in‑house programs and third‑party platforms like HackerOne and Bugcrowd based on size, focus, and operational needs.
Thirty years ago, Netscape kicked off the first commercial bug bounty program. Since then, companies large and small have bought into the idea, with mixed results. Bug bounties seem simple: a flaw finder spots a vulnerability, responsibly discloses it, and then gets a reward for their labor. But over the past decades, they've morphed into a variety of forms for commercial and government systems, using different payment techniques and platforms, and some setups are a lot more effective than others.
Commercial bug bounties spread slowly at first, and the idea was initially fraught with danger for researchers. Some companies sued outsiders who found problems with their software. In 2005, Internet Security Systems (ISS) researcher Michael Lynn and the organizers of the Black Hat security conference in Las Vegas were served with a restraining order over his planned talk on serious flaws in Cisco's IOS router software.
But that same year, Tipping Point started the Zero Day Initiative, paying for high‑impact vulnerabilities with working proof‑of‑concepts. The practice went into turbo mode when several tech giants picked up the practice, led by Google in 2010, Facebook a year later, and then the biggie - Microsoft - in 2013. While some companies chose to run their own bounty programs, others outsourced it to platforms like HackerOne and Bugcrowd, both started in 2012.
Read at Theregister
[
|
]