Bug bounty programs have increased significantly in popularity and use over the last several years and for good reason -- they\u2019re sexy, offering cold hard cash and the opportunity for cybersecurity experts to play detective for a good cause.\n\nMore and more organizations are adopting these initiatives to tap into a vast resource of researchers who dedicate their time to finding and examining vulnerabilities that pose a potential threat in the wrong hands.\n\nTheir incentive is not only the opportunity to secure sometimes hefty sums of money for the safe and responsible disclosure of certain unknown\/unsecured exploits but also the chance to gain recognition as discoverers of security weak spots that could have led to substantial data breaches or other incidents.\n\nBug hunting for a bounty is an innovative cybersecurity approach\n\nBug bounty programs are a relatively new and innovative approach in the conventional cybersecurity landscape. They complement other solutions to bring continuous security testing, discovery of real\/high-impact security vulnerabilities, and collaboration with an international community of ethical hackers, Fabien Lemarchand, VP of platform and security at online marketplace ManoMano, tells CSO. Lemarchand co-created Hack4Values -- a global bug-hunting program for non-governmental organizations (NGOs) and nonprofits.\n\n\u201cBug bounty programs are a response to the current challenges facing organizations in the face of cyber threats: lack of security experts, lack of efficiency, lack of understanding of the exponential growth in cyber threats,\u201d he says.\n\nThere\u2019s no such thing as zero risk, but by engaging with bug bounty schemes, organizations can think like an attacker, rather than a defender, Lemarchand adds. They bring an offensive approach to traditionally defensive cyber strategies that puts people and ethical hacking at the heart of cyber strategies.\n\n\u201cEvery discovery made by an ethical hacker during a bug bounty program will be real and relevant to your security strategy, as well as the protection of your information systems and their users.\u201d They can provide a clear return on investment too -- an understandable resource for developers and other business teams, Lemarchand says. \u201cIt is a transparent and clear way of highlighting the value of cybersecurity.\u201d\n\nHere are 12 notable programs launched in 2023.\n\nUS DoD announces third Hack the Pentagon program\n\nIn January, the US Department of Defense (DoD) revealed plans to launch the third iteration of its Hack the Pentagon bug bounty program, first unveiled in 2016 and repeated in 2018. A key aim of Hack the Pentagon 3.0 is to unleash white-hat hackers on the government\u2019s Washington Headquarters Services (WHS) Facilities Services Directorate (FSD) Facility Related Controls System (FRCS) network, according to a draft performance work statement.\n\n\u201cThe overall objective is to obtain support from a pool of innovative information security researchers via crowdsourcing for vulnerability discovery, coordination and disclosure activities and to assess the current cybersecurity posture of the FRCS Network, identify weaknesses and vulnerabilities, and provide recommendations to improve and strengthen the overall security posture,\u201d the statement read.\n\nResearchers must be diverse in skillset and able to conduct source code analysis, reverse engineering, and network and system exploitation, it added.\n\nMalwarebytes offers payouts for confirmed vulnerabilities\n\nIn March, anti-malware vendor Malwarebytes announced it was offering payouts of between $50 and $2,000 for confirmed vulnerabilities. Those posing a remote code execution (RCE) risk to Malwarebytes\u2019 web properties or customers running its endpoint protection software, or that could lead to the takeover of AWS cloud infrastructure, would attract the greatest rewards, the firm said.\n\n\u201cNow we\u2019re doing so much more than just malware remediation. We\u2019ve forged ahead into the world of cyber protection, privacy, and beyond,\u201d the vendor wrote. \u201cMalwarebytes looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\u201d\n\nOpenAI supports development of safe and advanced AI\n\nIn April, ChatGPT creator OpenAI launched a new bug bounty program to support the development of safe and advanced AI. \u201cWe invite you to report vulnerabilities, bugs, or security flaws you discover in our systems. By sharing your findings, you will play a crucial role in making our technology safer for everyone,\u201d the company said.\n\nOpenAI partnered with leading bug bounty platform Bugcrowd to manage the submission and reward process, which it said is designed to ensure a streamlined experience for all participants.\n\n\u201cTo incentivize testing and as a token of our appreciation, we will be offering cash rewards based on the severity and impact of the reported issues,\u201d OpenAI wrote. Rewards range from $200 for low-severity findings to up to $20,000 for exceptional discoveries.\n\nLayerZero Labs, Immunefi partner to promote Web3 security\n\nIn May, LayerZero Labs, the team that launched the leading cross-chain messaging protocol LayerZero, announced the launch of a new bug bounty program in partnership with Immunefi, the bug bounty and security services platform for Web3.\n\nThe pair called the program the \u201clargest in the history\u201d of the software industry and shows a commitment to security as well as the developers and users in the LayerZero ecosystem. LayerZero Labs revealed it would be offering a maximum reward of $15 million for each new vulnerability found by participants who uncover vulnerabilities at the highest severity level.\n\n\u201cRewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites\/apps, smart contracts, and blockchains\/DLTs, focusing on the impact of the vulnerability reported,\u201d wrote Immunefi.\n\nThird edition of The Good Catch program protects Democratic tech vendors\n\nIn June, three political tech organizations -- Higher Ground Labs, Trestle Collaborative, and Zinc Collective -- opened applications for the third edition of The Good Catch, a bug bounty program dedicated to Democratic tech vendors. The program ran during the 2020 and 2022 election cycles, and this cycle\u2019s program will run up until next year\u2019s US presidential election, Matt Hodges, executive director at Zinc Collective\u2019s Democrat-focused political tech lab, told Axios.\n\nParticipating tech vendors create an account on Federacy, an online program that manages bug bounty programs for organizations. Each company signed up keeps its program private by default, meaning only vetted researchers will be invited to participate. Participating vendors can also decide to open their bug bounty programs to the entire platform. Once their programs are up and running, vendors receive reports of potentially exploitable security flaws on their systems, which they\u2019ll need to verify on their own.\n\nIf requested, the program can provide vendors with general advice about how to stand up their security programs and can recommend other consultancy firms to help with more nuanced questions.\n\nSquareX invites bug hunters to hack-test browser-based cybersecurity product\n\nIn June, endpoint security vendor SquareX announced a bug bounty program to invite hackers, security researchers, technologists, and students to hack-test its browser-based cybersecurity product and find security vulnerabilities in it before its launch.\n\nTo incentivize and reward bug hunters, SquareX offered rewards totalling up to $25,000 for successfully discovered, reported, and qualified vulnerabilities. The program spanned six weeks from June 15, 2023, to July 27, 2023, with hunters encouraged to help battle-test and harden the product.\n\n\u201cWe invite the global hacker community to participate in this bug bounty program and help us discover vulnerabilities. I hope in doing so, we will be able to launch a world-class cybersecurity product that consumers can use and be fearless online,\u201d said Vivek Ramachandran, founder of SquareX.\n\nUpon closure of the program, SquareX said it witnessed an impressive influx of hunters, particularly from India, the USA, and Germany, who launched thousands of automated scans and targeted attacks on its product. However, even with the incentives in place and the doubling of the prize money, SquareX reported that zero critical bugs were discovered during the process.\n\nSwisstronik offers up to $31,000 per discovered bug\n\nIn August, Swisstronik, the layer-1 network for building regulatory-compliant dApps with enhanced data privacy, announced the launch of its first bug bounty program with rewards reaching $31,000 per bug.\n\nSwisstronik said that participants will help the firm become a secure bridge between the traditional world with its regulatory requirements and the Web3 world with its high privacy and decentralization standards. \u201cAs a result, developers can contribute to a more balanced Web3 in which KYC and other user verifications do not result in personal data loss or reliance on centralized parties, and help boost the overall blockchain adoption.\u201d\n\nProtect AI launches huntr AI\/ML bug bounty platform\n\nIn August, Protect AI announced the launch of the \u201cworld\u2019s first\u201d AI and machine learning bug bounty platform, huntr. The firm said the launch enables the cultivation of a robust community of security researchers dedicated to uncovering vulnerabilities and providing remediations within AI\/ML packages, libraries, frameworks, and models.\n\n\u201cAs part of our program, it is important that all contributors receive the recognition they deserve. Once a vulnerability has been fully disclosed, acknowledged by the maintainer, and subsequently patched, we credit all contributors involved for their crucial work in the process,\u201d Protect AI said.\n\nThe platform hosts monthly contests providing researchers opportunities to showcase their skills and earn rewards. The inaugural contest on the huntr AI\/ML bug bounty platform focused on Hugging Face Transformers, presenting a reward of up to $50,000.\n\nFree bug hunting program for NGOs, nonprofits expands across Europe\n\nIn July, Hack4Values announced the expansion of its free bug-hunting program for NGOs and nonprofits across Europe. First launched in France in 2022, the Hack4Values platform is an online community comprised of ethical hackers and security researchers committed to creating a safer digital world for all NGOs and their beneficiaries.\n\nThe program offers NGOs and nonprofits a free platform audit to help identify the security risks they face, with the Hack4Values community also providing solutions to help these companies keep their data secure from cyber threats.\n\nSince launching, over 50 ethical hackers who have volunteered for Hack4Values have provided bug bounty programs for 10 NGOs including Amnesty International and Action Against Hunger.\n\nYahoo picks Intigriti to run crowdsourced security program\n\nIn September, Yahoo announced a partnership with global crowdsourced security firm Intigriti to launch a new public bug bounty program. The program covers Europe and is open to the 75,000 ethical hackers who are registered on the Intigriti platform, along with anyone else who wishes to take part.\n\nPayout rates are on a scale that\u2019s proportional to potential impact, Yahoo and Intigriti said. Researchers can earn between $100-$500 for low-ranked vulnerabilities, up to $10,000 for high-rated flaws, and between $10,000-$15,000 for any critical issues discovered. The program also offers ethical hacking teams generous cash rewards for topping the leaderboard in select Capture The Flag (CTF) competitions, a move that aims to attract top cybersecurity talent and foster collaboration among ethical hackers.\n\n\u201cExpanding our bug bounty program with Intigriti gives us a bigger outreach to the global ethical hacker community. We want to cater to as many people as possible and provide the best service possible to our users,\u201d commented Arjun Govindaraju, technical principal security engineer at Yahoo.\n\nNearly 70 assets are in scope under the program, including Yahoo\u2019s high-value web domains, APIs, and Search services, along with Yahoo Shopping, Yahoo Mail, and media brands Yahoo News, and Yahoo Sports.\n\nCryptocurrency exchange Uniswap unveils four-tier program\n\nIn September, decentralized cryptocurrency exchange Uniswap initiated a new bug bounty program featuring a four-tier severity scale that is critical, high, medium, and low\/informational. Uniswap said it would be offering rewards of up to 2,250,000 USD Coin, depending on the severity of identified bugs and assets at risk, according to The Crypto Times.\n\nThe program covers vulnerabilities and bugs in smart contracts that are deployed by Uniswap, which can be found in various GitHub repositories including the Universal Router Contract Code, Permit2 Contract Code, V3 Contract Code, and UniswapX Contract Code.\n\nGoogle expands program to include generative AI security issues\n\nIn October, Google announced that it is expanding its bug bounty program to include generative AI-specific security issues. Expanding to reward for attack scenarios specific to generative AI will \u201cincentivize research around AI safety and security, and bring potential issues to light that will ultimately make AI safer for everyone,\u201d said Laurie Richardson, VP of trust and safety, and Royal Hansen, VP of privacy, safety and security engineering at Google.\n\nThe tech giant also announced it would be expanding its open-source security work to make information about AI supply chain security universally discoverable and verifiable.\n\nGoogle\u2019s engineering team posted a list of AI attack scenarios that are eligible for rewards. These include prompt attacks, training data extraction, manipulating models, adversarial perturbation, and model theft\/exfiltration.