• United States




Bugs for cash: Bounty hunters in the new wild west of security

Apr 20, 20165 mins
Application SecurityInternet SecuritySecurity

How security researchers and programmers hunt software bugs for cash rewards

The business of bug hunting is a potentially lucrative one for both seasoned security researchers and amateurs with an interest in hacking. It’s an area that’s gaining legitimacy thanks to official bug bounty programs and hacking contests, but there’s still a seedy underbelly that unscrupulous bounty hunters can take advantage of if they successfully identify a vulnerability.

The average cost of a data breach is $3.8 million, according to research by the Ponemon Institute. It’s not hard to understand why so many companies are now stumping up bounties. It can also be very difficult, time consuming and expensive to root out bugs and flaws internally. Turning to the wider security community for help makes a lot of sense, and where there’s need there’s a market.  

Let’s take a closer look at how the market works.

White market for bugs

Assuming you are a law-abiding, morally upright citizen, you have three options when you identify a serious flaw:

  1. Submit directly to the vendor
  2. Submit to a third-party bug-bounty program
  3. Submit to a hacking contest

Big players such as Google, Samsung and Facebook all offer bounty programs. Back in 2014, Facebook fixed 61 high-severity flaws through its bug bounty program. Since its bug bounty program began in 2011, the social media giant has doled out more than $4.3 million to more than 800 researchers after receiving in excess of 2,400 valid submissions, according to its 2015 Highlights report.

A lot of flaws can earn a lot of money

We’re also seeing the rise of many third-party platforms, such as Bugcrowd. These companies allow clients to list applications they want tested and offer bounties that crowdsourced security talent compete for. Tesla, Western Union, Pinterest and many other companies are customers. Founded in 2012, Bugcrowd boasts that more than 27,000 researchers have identified more than 53,000 vulnerabilities for more than 250 companies since it started trading.

Hacking contests such as Pwn2Own are another option. Hackers demonstrated 21 new vulnerabilities in attacks on browsers and operating systems this year. There are sometimes large cash prizes, and job offers are likely to follow for anyone who finds a big vulnerability that doesn’t involve jumping through too many hoops. Sometimes companies, including Google and Microsoft, run their own hacking competitions.

The dark side of bug bounty hunting

Beyond the white market, there’s also a gray market, with questionable legality. Security researchers can sell vulnerabilities to private brokers with policies about only selling to ethical and approved sources. In that case, the vulnerability may end up being used to spy on private citizens suspected of crimes or used to shut down a terrorist organization, according to Hewlett Packard Enterprise’s Cyber Risk Report 2016. However, it’s often unclear, and sellers can only guess at how the vulnerability may have been used.

In the black market, which is unquestionably illegal, buyers simply sell to the highest bidder. It might be sold to a cybercriminal or network of criminals. It might also be used for corporate spying or even national spying. The seller generally has no insight into how the vulnerability will be used, but it’s a safe bet that someone is going to end up at a disadvantage.

Slow to respond

Finding vulnerabilities is just the beginning. Far too many developers are slow to act to patch those flaws. This can lead the researchers who uncover them to disclose flaws publicly, piling on the pressure for the vendor to take action. They might lose out on a potential bounty, but they’ll still be able to discuss the flaw and benefit from making their discovery of it public.

Even when the developer does patch an exploit or vulnerability, far too many companies are even slower to remediate. You might think that known solutions would be enacted immediately, but that’s simply not the case. Known vulnerabilities often persist much longer than they should, allowing cybercriminals to continue exploiting them long after they’ve been revealed. For example, hundreds of cloud apps were still vulnerable to DROWN weeks after it was unveiled.

Offering bounties can be cost-effective for businesses, and it may go some way towards persuading researchers or hackers to aim for the white market, rather than the gray or black. But they have to act quickly to deal with vulnerabilities and protect their customers. The longer it takes to deal with flaws, the greater the risk that would-be attackers will weaponize them.   

Aiming for the good white-hat-wearing side even further, a smart approach can entail using systems development lifecycle (SDLC) and Open Web Application Security Project (OWASP) programming standards. Also, a well-thought-out vulnerability management program that includes application penetration testing will go a long way in securing any and all applications.  

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author