Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Security Enterprise ServicesCybersecurity News

Going Hunting: Could Bug Bounty Programs Bring Benefits to Your Enterprise?

By Xuyen Bowles
virus-enews
August 3, 2017

Security-minded organizations know that the next cyber threat may be the worst. That’s why they take preemptive measures to protect their most valuable assets.

Bug bounty programs are an emerging trend undertaken by some forward-thinking industry members to gain valuable information on their security system, while repairing any vulnerabilities. These for-hire teams intentionally attempt to exploit your system’s weaknesses so that you can fix them before a more maliciously minded individual can wreak havoc on them. However, bug bounty programs alone are not the solution to complete security. Your company needs to take a comprehensive approach to cybersecurity including vulnerability assessments and penetration testing. A bug bounty program is simply an additional piece of protection.

Read on to find out more about these innovative programs and how your organization might benefit from using one.

A Brief History of Zapping Bugs

Bug bounty programs have existed for at least two decades, but they have only recently become common parlance for information security teams in the corporate world. In the mid-1990s, only about a dozen organizations offered bug bounties, starting in 1995 with a program dedicated to rooting out issues with the Netscape Navigator 2.0 web browser.

Large-profile companies, such as Google, Facebook and Microsoft, have all utilized bug bounties in addition to their robust security teams, lending credence and popularity to the trend. Mozilla, creator of the Firefox browser, created a bug bounty program in 2004 that continues to this day, and has paid out over $1 million in awards. Google’s Vulnerability Reward Program, founded in 2010, has paid out over $6 million, and Facebook’s program, which launched a year later, has given $4.3 million to researchers.

Fantastic Bugs and Where to Find Them

Bug bounties may focus on customer-facing websites, tools and applications, whereas others have specialties in software or even hardware. While the tech industry utilizes them most often, these code-cracking teams pop up in industries as varied as gaming, retail and travel. Of course, any bug bounty program requires extensive resources (or the resources of a well-equipped third-party) to manage, so be certain you have the money and time to devote to one.

One of these programs may be best utilized as a skillful extra set of eyes to your existing security practices. You might also consider giving your most critical functions an additional layer of scrutiny. Wherever the approach, bug bounties work most effectively when an organization’s security infrastructure is already developed, not when it is in its infancy or has yet to undergo rigorous testing.

Think about it: introducing a team designed to exploit vulnerabilities and seek out bugs when a security system is still growing will cost you significant time (and money) as you repair each issue. Bug bounty programs should be a finishing, not foundational, element.

Bugs, Bugs Everywhere

Several high-profile examples of bug bounty programs have encouraged many organizations to consider whether the strategy would be right for them. The sensitivity of digital information potentially compromised by cyber threats, and the widespread potential of hacking teams gaining access to this information, is helping to push bug bounty programs as a possible solution.

To Hack a Slack

In March, team collaboration and communication giant Slack reported that a researcher found a vulnerability in Slack’s code. This could have been used to assume control of an account via a compromised authentication token to read archived messages, a primary function of Slack’s highly utilized application.

The lauded researcher, a man named Frans Rosen working with Detectify Labs, detected the vulnerability and quickly created a proof-of-concept to show how a malicious webpage could masquerade as a phony server. Rosen contacted Slack through a hacker disclosure service, and Slack quickly repaired the issue within five hours of reporting. So far, no indications exist that the bug had been exploited in the last two years, and Rosen was paid $3,000 as a reward for his timely find.

Bugs-Be-Gone at the Pentagon

Last month, Hack the Pentagon founders Katie Moussouris and Lisa Wiswell discussed their initiative to create a groundbreaking bug bounty program for the U.S. government. After successfully convincing Microsoft to adopt a similar program in 2013, they helped launch Hack the Pentagon at the Department of Defense, despite considerable anxiety.

Moussouris, the CEO of her own security company, described Hack the Pentagon as “significant” and an unquestionable success. Wiswell added that “bug bounty programs are here to stay” for the U.S. government, and has found herself consulting other departments on how to run successful programs of their own.

Hacking for Good

The Pwn2Own hacking contest, founded by the Zero Day Initiative, is a modern-day example of using bug bounty programs in a high-profile platform, both to boost awareness of such programs and to assist in finding critical vulnerabilities.

Since 2007, Pwn2Own has taken place at the CanSecWest conference in Vancouver and seeks to find security issues within operating systems, browsers, plugins, applications, servers and virtual machines. This year they offered an $80,000 cash prize, among other lucrative rewards, to anyone who hacked web browsers Google Chrome or Microsoft Edge.

Letting the Right Ones In

Naturally, you will have concerns about allowing access to your source code behind your firewalls and other protective infrastructure. Particularly to a third-party intentionally designed to hack and break what you’ve tried very hard to build. You have limited visibility over the bug bounty hunters, and they may inadvertently access sensitive data in your system or further compromise your security through unexpected tests. A fundamental trust must exist between the program and the company utilizing it.

Who Can You Trust?

Should you wish to employ a bug bounty team, consider the model that Apple recently utilized, wherein they announced an invitation-only program. Allow small, elite and vetted teams to work for a few weeks on closed and confidential applications or websites to establish a working trust before opening up the process to your system at large.

Another option for modern security teams is to utilize third-party platforms, such as Crowdcontrol from Bugcrowd. Many popular companies, including Indeed.com, Jet.com, Western Union and Pinterest, have used Bugcrowd’s bounty programs over the past few years, and benefitted from their organization and management.

Talk to your company’s cybersecurity expert to get their recommendations for adding a bug bounty program to your existing security efforts.

KEYWORDS: bug bounty Ethical Hacker red teaming security investigations security risk management security vulnerability

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

With 20 years of experience in the enterprise space, Xuyen Bowles now oversees one of the most successful cyber security firms in San Diego, CA. Sentek Cyber (a division of Sentek Global) offers a wide array of cyber security protection from penetration testing, consultancy, training to advance threat detection. "It's not a matter of if, it's a matter of when." Ms. Bowles finds great gratification in helping companies ensure they are safe from data breach. 

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Person working on laptop

Governance in the Age of Citizen Developers and AI

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • nuclear-enews

    How Cyberattacks Affect the Physical World, Too

    See More
  • Nine West store

    The Perfect Host? It’s a Matter of Choice

    See More
  • cyber software freepik

    When it comes to cyber risk, company size doesn't matter

    See More

Related Products

See More Products
  • databasehacker

    The Database Hacker's Handboo

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing