The relationship between companies, governments and hackers has always been volatile. The word hacker can conjure thoughts of hoodies, financial loss and reputational damage in the minds of CEOs and world leaders. Conversely, hackers may think of large corporations as uncreative, corrupt, bureaucratic nightmares.
Creating a middle ground is vital, however. Bug bounties create a meaningful bridge.
The concept is simple: a company signs up to bug bounty websites such as HackerOne or BugCrowd and offers money for those who can spot IT problems. Hackers create a profile, find a company’s page and click ‘submit’ to file a bug report.
How it works
A private dialogue is opened between the hacker and the company (usually their security team) and if the bug is seen as a valid risk, it is patched and a reward is calculated based on its seriousness.
How well does it work? Have a look at HackerOne’s hacktivity page, which shows successfully disclosed bugs. The vendor, the type of bug patched, the username of the hacker (with a link to their profile), the risk the bug posed and the monetary amount awarded are all displayed.
How much do companies pay and how many bugs are found? Some fixes are worth several hundred dollars but others can be as high as $200,000 or even more.
Being a bug bounty hunter isn’t a get-rich-quick scheme. Most hackers earn less than $20,000 per year, although at least seven hackers have earned more than $1m and an ethical hacker from Romanian named Cosmin Lordache, or @inhibitor181, earned more than $2m from HackerOne.
Google paid a record $6.7m to bug bounty hunters in 2020. Microsoft paid $13.7m in 2019-2020 including one reward of $200,000. PayPal handed over nearly $2.8m in bug bounties over two years. Twitter and Intel also use HackerOne's bug bounty program.