Bug bounty program - Wikipedia https://en.wikipedia.

org/wiki/Bug_bounty_program

Bug bounty program

A bug bounty program is a deal offered by many websites, organizations and software developers by
which individuals can receive recognition and compensation[1][2] for reporting bugs, especially those
pertaining to security exploits and vulnerabilities.[3]

These programs allow the developers to discover and resolve bugs before the general public is aware of
them, preventing incidents of widespread abuse and data breaches. Bug bounty programs have been
implemented by a large number of organizations, including Mozilla,[4][5] Facebook,[6] Yahoo!,[7]
Google,[8] Reddit,[9] Square,[10] Microsoft,[11][12] and the Internet bug bounty.[13]

Companies outside the technology industry, including traditionally conservative organizations like the
United States Department of Defense, have started using bug bounty programs.[14] The Pentagon's use of
bug bounty programs is part of a posture shift that has seen several US Government Agencies reverse
course from threatening white hat hackers with legal recourse to inviting them to participate as part of a
comprehensive vulnerability disclosure framework or policy.[15]

History
Hunter and Ready initiated the first known bug bounty program in 1981 for their Versatile Real-Time
Executive operating system. Anyone who found and reported a bug would receive a Volkswagen Beetle
(a.k.a. Bug) in return.[16]

A little over a decade later in 1995, Jarrett Ridlinghafer, a technical support engineer at Netscape
Communications Corporation coined the phrase 'Bug Bounty'.[17]

Netscape encouraged its employees to push themselves and do whatever it takes to get the job done.
Ridlinghafer recognized that Netscape had many product enthusiasts and evangelists, some of which could
even be considered fanatical about Netscape's browsers. He started to investigate the phenomenon in more
detail and discovered that many of Netscape's enthusiasts were actually software engineers who were
fixing the product's bugs on their own and publishing the fixes or workarounds, either in online news
forums that had been set up by Netscape's technical support department, or on the unofficial "Netscape
U-FAQ" website, which listed all known bugs and features of the browser, as well as instructions
regarding workarounds and fixes.

Ridlinghafer thought the company should leverage these resources and proposed the 'Netscape Bugs
Bounty Program', which he presented to his manager, who in turn suggested that Ridlinghafer present it at
the next company executive team meeting. At that meeting, attended by James Barksdale, Marc
Andreessen and the VPs of every department including product engineering, each member was given a
copy of the 'Netscape Bugs Bounty Program' proposal and Ridlinghafer was invited to present his idea to
the Netscape Executive Team. Everyone at the meeting embraced the idea except the VP of Engineering,
who did not want it to go forward believing it to be a waste of time and resources. However, they were
overruled and Ridlinghafer was given an initial $50k budget to run with the proposal.

On October 10, 1995, Netscape launched the first technology bug bounty program for the Netscape
Navigator 2.0 Beta browser.[18][19]

1 of 7 10/13/23, 18:28
Bug bounty program - Wikipedia https://en.wikipedia.org/wiki/Bug_bounty_program

Vulnerability Disclosure Policy controversy

In August 2013, a Palestinian computer science student reported a vulnerability that allowed anyone to
post a video on an arbitrary Facebook account. According to the email communication between the
student and Facebook, he attempted to report the vulnerability using Facebook's bug bounty program but
the student was misunderstood by Facebook's engineers. Later he exploited the vulnerability using the
Facebook profile of Mark Zuckerberg, resulting into Facebook refusing to pay him a bounty.[20]

Facebook started paying researchers who find and report security

bugs by issuing them custom branded "White Hat" debit cards that
can be reloaded with funds each time the researchers discover new
flaws. "Researchers who find bugs and security improvements are
rare, and we value them and have to find ways to reward them,"
Ryan McGeehan, former manager of Facebook's security response
team, told CNET in an interview. "Having this exclusive black card
is another way to recognize them. They can show up at a
conference and show this card and say 'I did special work for A Facebook "White Hat" debit
card, which was given to
Facebook.'"[21] In 2014, Facebook stopped issuing debit cards to
researchers who reported
researchers.
security bugs
In 2016, Uber experienced a security incident when an individual
accessed the personal information of 57 million Uber users
worldwide. The individual supposedly demanded a ransom of $100,000 in order to destroy rather than
publish the data. In Congressional testimony, Uber CISO indicated that the company verified that the data
had been destroyed before paying the $100,000.[22] Mr. Flynn expressed regret that Uber did not disclose
the incident in 2016. As part of their response to this incident, Uber worked with partner HackerOne to
update their bug bounty program policies to, among other things, more thoroughly explain good faith
vulnerability research and disclosure.[23]

Yahoo! was severely criticized for sending out Yahoo! T-shirts as reward to the Security Researchers for
finding and reporting security vulnerabilities in Yahoo!, sparking what came to be called T-shirt-gate.[24]
High-Tech Bridge, a Geneva, Switzerland-based security testing company issued a press release saying
Yahoo! offered $12.50 in credit per vulnerability, which could be used toward Yahoo-branded items such
as T-shirts, cups and pens from its store. Ramses Martinez, director of Yahoo's security team claimed later
in a blog post[25] that he was behind the voucher reward program, and that he basically had been paying
for them out of his own pocket. Eventually, Yahoo! launched its new bug bounty program on October 31
of the same year, that allows security researchers to submit bugs and receive rewards between $250 and
$15,000, depending on the severity of the bug discovered.[26]

Similarly, when Ecava released the first known bug bounty program for ICS in 2013,[27][28] they were
criticized for offering store credits instead of cash which does not incentivize security researchers.[29]
Ecava explained that the program was intended to be initially restrictive and focused on the human safety
perspective for the users of IntegraXor SCADA, their ICS software.[27][28]

Some bug bounties programs have been criticized as tools to prevent security researcher from publicly
disclosing vulnerabilities, by conditioning the participation to bug bounty or even granting safe-harbor, to
abusive non-disclosure agreements.[30][31]

Geography
Though submissions for bug bounties come from many countries, a handful of countries tend to submit
more bugs and receive more bounties. The United States and India are the top countries from which

2 of 7 10/13/23, 18:28
Bug bounty program - Wikipedia https://en.wikipedia.org/wiki/Bug_bounty_program

researchers submit bugs.[32] India, which has either the first or second largest number of bug hunters in
the world, depending on which report one cites,[33] topped the Facebook Bug Bounty Program with the
largest number of valid bugs.[34] "India came out on top with the number of valid submissions in 2017,
with the United States and Trinidad and Tobago in second and third place, respectively", Facebook quoted
in a post.[35]

Notable programs
In October 2013, Google announced a major change to its Vulnerability Reward Program. Previously, it
had been a bug bounty program covering many Google products. With the shift, however, the program
was broadened to include a selection of high-risk free software applications and libraries, primarily those
designed for networking or for low-level operating system functionality. Submissions that Google found
adherent to the guidelines would be eligible for rewards ranging from $500 to $3,133.70.[36][37] In 2017,
Google expanded their program to cover vulnerabilities found in applications developed by third parties
and made available through the Google Play Store.[38] Google's Vulnerability Rewards Program now
includes vulnerabilities found in Google, Google Cloud, Android, and Chrome products, and rewards up
to $31,337.[39]

Microsoft and Facebook partnered in November 2013 to sponsor The Internet Bug Bounty, a program to
offer rewards for reporting hacks and exploits for a broad range of Internet-related software.[40] In 2017,
GitHub and The Ford Foundation sponsored the initiative, which is managed by volunteers including from
Uber, Microsoft,[41] Adobe, HackerOne, GitHub, NCC Group, and Signal Sciences.[42] The software
covered by the IBB includes Adobe Flash, Python, Ruby, PHP, Django, Ruby on Rails, Perl, OpenSSL,
Nginx, Apache HTTP Server, and Phabricator. In addition, the program offered rewards for broader
exploits affecting widely used operating systems and web browsers, as well as the Internet as a whole.[43]

In March 2016, Peter Cook announced the US federal government's first bug bounty program, the "Hack
the Pentagon" program.[44] The program ran from April 18 to May 12 and over 1,400 people submitted
138 unique valid reports through HackerOne. In total, the US Department of Defense paid out
$71,200.[45]

In 2019, The European Commission announced the EU-FOSSA 2 bug bounty initiative for popular open
source projects, including Drupal, Apache Tomcat, VLC, 7-zip and KeePass. The project was co-
facilitated by European bug bounty platform Intigriti and HackerOne and resulted in a total of 195 unique
and valid vulnerabilities.[46]

Open Bug Bounty is a crowd security bug bounty program established in 2014 that allows individuals to
post website and web application security vulnerabilities in the hope of a reward from affected website
operators.[47]

Center for Analysis and Investigation of Cyber Attacks (TSARKA) (https://cybersec.kz/), a cybersecurity
company of Kazakhstan, on December 8, 2021, launched a National vulnerability reward program called
BugBounty.kz (https://bugbounty.kz/). Among the private companies, governmental information systems
and information resources have joined the program. Since the launch and up until October 28, 2021, 1039
vulnerability reports were submitted. During the operation of the program several critical vulnerabilities
were reported that could have led to the personal data leak from the critical infrastructure and possible
manipulation of SCADA systems responsible for the city life support.

See also
▪ Bounty hunter

3 of 7 10/13/23, 18:28
Bug bounty program - Wikipedia https://en.wikipedia.org/wiki/Bug_bounty_program

▪ Cyber-arms industry
▪ Knuth reward check (Program in 1980)
▪ Market for zero-day exploits
▪ Open-source bounty
▪ White hat (computer security)
▪ Zerodium

References
1. "The Hacker-Powered Security Report - Who are Hackers and Why Do They Hack
p. 23" (https://ma.hacker.one/rs/168-NAU-732/images/hacker-powered-security-r
eport-2017.pdf) (PDF). HackerOne. 2017. Retrieved June 5, 2018.
2. Ding, Aaron Yi; De Jesus, Gianluca Limon; Janssen, Marijn (2019). "Ethical
hacking for boosting IoT vulnerability management" (http://dl.acm.org/citation.cf
m?doid=3357767.3357774). Proceedings of the Eighth International Conference
on Telecommunications and Remote Sensing. Ictrs '19. Rhodes, Greece: ACM
Press. pp. 49–55. arXiv:1909.11166 (https://arxiv.org/abs/1909.11166).
doi:10.1145/3357767.3357774 (https://doi.org/10.1145%2F3357767.3357774).
ISBN 978-1-4503-7669-3. S2CID 202676146 (https://api.semanticscholar.org/Cor
pusID:202676146).
3. Weulen Kranenbarg, Marleen; Holt, Thomas J.; van der Ham, Jeroen (November
19, 2018). "Don't shoot the messenger! A criminological and computer science
perspective on coordinated vulnerability disclosure" (https://doi.org/10.1186%2F
s40163-018-0090-8). Crime Science. 7 (1): 16. doi:10.1186/s40163-018-0090-8
(https://doi.org/10.1186%2Fs40163-018-0090-8). ISSN 2193-7680 (https://www.
worldcat.org/issn/2193-7680). S2CID 54080134 (https://api.semanticscholar.org/
CorpusID:54080134).
4. "Mozilla Security Bug Bounty Program" (https://www.mozilla.org/en-US/security/b
ug-bounty/). Mozilla. Retrieved July 9, 2017.
5. Kovacs, Eduard (May 12, 2017). "Mozilla Revamps Bug Bounty Program" (http://w
ww.securityweek.com/mozilla-revamps-bug-bounty-program). SecurityWeek.
Retrieved August 3, 2017.
6. Facebook Security (April 26, 2014). "Facebook WhiteHat" (https://facebook.com/
whitehat). Facebook. Retrieved March 11, 2014. {{cite web}}: |author= has
generic name (help)
7. "Yahoo! Bug Bounty Program" (https://hackerone.com/yahoo). HackerOne.
Retrieved March 11, 2014.
8. "Vulnerability Assessment Reward Program" (https://www.google.com/about/app
security/reward-program/). Retrieved March 11, 2014.
9. "Reddit - whitehat" (https://www.reddit.com/wiki/whitehat). Reddit. Retrieved
May 30, 2015.
10. "Square bug bounty program" (https://hackerone.com/square). HackerOne.
Retrieved August 6, 2014.
11. "Microsoft Bounty Programs" (https://wayback.archive-it.org/all/20131121090336
/http://technet.microsoft.com/en-US/security/dn425036). Microsoft Bounty
Programs. Security TechCenter. Archived from the original (http://microsoft.com/
bountyprograms) on November 21, 2013. Retrieved September 2, 2016.

4 of 7 10/13/23, 18:28
Bug bounty program - Wikipedia https://en.wikipedia.org/wiki/Bug_bounty_program

12. Zimmerman, Steven (July 26, 2017). "Microsoft Announces Windows Bug Bounty
Program and Extension of Hyper-V Bounty Program" (https://www.xda-developer
s.com/microsoft-windows-bug-bounty/). XDA Developers. Retrieved August 3,
2017.
13. HackerOne. "Bug Bounties - Open Source Bug Bounty Programs" (https://www.ha
ckerone.com/internet-bug-bounty). Retrieved March 23, 2020.
14. "The Pentagon Opened up to Hackers - And Fixed Thousands of Bugs" (https://w
ww.wired.com/story/hack-the-pentagon-bug-bounty-results/). Wired. November
10, 2017. Retrieved May 25, 2018.
15. "A Framework for a Vulnerability Disclosure Program for Online Systems" (https://
www.justice.gov/criminal-ccips/page/file/983996/download/). Cybersecurity Unit,
Computer Crime & Intellectual Property Section Criminal Division U.S.
Department of Justice. July 2017. Retrieved May 25, 2018.
16. "The first "bug" bounty program" (https://twitter.com/cybersecuritysf/status/883
829319604293632). Twitter. July 8, 2017. Retrieved June 5, 2018.
17. Friis-Jensen, Esben (March 3, 2021). "The History of Bug Bounty Programs" (http
s://blog.cobalt.io/the-history-of-bug-bounty-programs-50def4dcaab3). Medium.
Retrieved August 6, 2021.
18. "Netscape announces Netscape Bugs Bounty with release of netscape navigator
2.0" (https://web.archive.org/web/19970501041756/http://www101.netscape.co
m/newsref/pr/newsrelease48.html). Internet Archive. Archived from the original
(http://www101.netscape.com/newsref/pr/newsrelease48.html) on May 1, 1997.
Retrieved January 21, 2015.
19. "Cobalt Application Security Platform" (https://cobalt.io/blog/the-history-of-bug-b
ounty-programs). Cobalt. Retrieved July 30, 2016.
20. "Zuckerberg's Facebook page hacked to prove security flaw" (https://edition.cnn.
com/2013/08/19/tech/social-media/zuckerberg-facebook-hack/index.html). CNN.
August 20, 2013. Retrieved November 17, 2019.
21. Mills, Elinor. "Facebook whitehat Debit card" (https://www.cnet.com/news/facebo
ok-hands-out-white-hat-debit-cards-to-hackers/). CNET.
22. "Testimony of John Flynn, Chief Information Security Officer, Uber Technologies,
Inc" (https://www.commerce.senate.gov/public/_cache/files/7d70e53e-73e9-4336
-a100-67b233084f12/75728554E990488D71625DFA69B05494.uber---john-flynn
---testimony.pdf) (PDF). United States Senate. February 6, 2018. Retrieved
June 4, 2018.
23. "Uber Tightens Bug Bounty Extortion Policy" (https://threatpost.com/uber-tighten
s-bug-bounty-extortion-policies/131512/). Threat Post. April 27, 2018. Retrieved
June 4, 2018.
24. Osborne, Charlie. "Yahoo changes bug bounty policy following 't-shirt gate' " (htt
ps://www.zdnet.com/yahoo-changes-bug-bounty-policy-following-t-shirt-gate-700
0021508). ZDNet.
25. Martinez, Ramses. "So I'm the guy who sent the t-shirt out as a thank you" (http
s://yahoodevelopers.tumblr.com/post/62953984019/so-im-the-guy-who-sent-the-
t-shirt-out-as-a-thank-you). Yahoo Developer Network. Retrieved October 2,
2013.
26. Martinez, Ramses. "The Bug Bounty Program is Now Live" (https://yahoodevelop
ers.tumblr.com/post/65622522325/the-bug-bounty-program-is-now-live). Yahoo
Developer Network. Retrieved October 31, 2013.
27. Toecker, Michael (July 23, 2013). "More on IntegraXor's Bug Bounty Program" (htt
p://www.digitalbond.com/blog/2013/07/23/more-on-integraxors-bug-bounty-progr
am/). Digital Bond. Retrieved May 21, 2019.

5 of 7 10/13/23, 18:28
Bug bounty program - Wikipedia https://en.wikipedia.org/wiki/Bug_bounty_program

28. Ragan, Steve (July 18, 2013). "SCADA vendor faces public backlash over bug
bounty program" (https://www.csoonline.com/article/2133737/scada-vendor-face
s-public-backlash-over-bug-bounty-program.html). CSO. Retrieved May 21, 2019.
29. Rashi, Fahmida Y. (July 16, 2013). "SCADA Vendor Bashed Over 'Pathetic' Bug
Bounty Program" (https://www.securityweek.com/scada-vendor-bashed-over-path
etic-bug-bounty-program). Security Week. Retrieved May 21, 2019.
30. "How Zoom handled vulnerability shows the dark side of bug bounty's" (https://p
roprivacy.com/privacy-news/dark-side-of-bug-bountys). ProPrivacy.com.
Retrieved May 17, 2023.
31. Porup, J. M. (April 2, 2020). "Bug bounty platforms buy researcher silence, violate
labor laws, critics say" (https://www.csoonline.com/article/3535888/bug-bounty-p
latforms-buy-researcher-silence-violate-labor-laws-critics-say.html). CSO Online.
Retrieved May 17, 2023.
32. "The 2019 Hacker Report" (https://www.hackerone.com/sites/default/files/2019-0
2/the-2019-hacker-report_3.pdf) (PDF). HackerOne. Retrieved March 23, 2020.
33. "Bug hunters aplenty but respect scarce for white hat hackers in India" (https://f
actordaily.com/india-bug-bounty-superpower/). Factor Daily. February 8, 2018.
Retrieved June 4, 2018.
34. "Facebook Bug Bounty 2017 Highlights: $880,000 Paid to Researchers" (https://w
ww.facebook.com/notes/facebook-bug-bounty/2017-highlights-880000-paid-to-re
searchers/1918340204846863/). Facebook. January 11, 2018. Retrieved June 4,
2018.
35. "Facebook Bug Bounty 2017 Highlights: $880,000 Paid to Researchers" (https://w
ww.facebook.com/notes/facebook-bug-bounty/2017-highlights-880000-paid-to-re
searchers/1918340204846863/). Facebook. January 11, 2018. Retrieved June 4,
2018.
36. Goodin, Dan (October 9, 2013). "Google offers "leet" cash prizes for updates to
Linux and other OS software" (https://arstechnica.com/security/2013/10/google-o
ffers-leet-cash-prizes-for-updates-to-linux-and-other-os-software/). Ars Technica.
Retrieved March 11, 2014.
37. Zalewski, Michal (October 9, 2013). "Going beyond vulnerability rewards" (http://
googleonlinesecurity.blogspot.com/2013/10/going-beyond-vulnerability-rewards.
html). Google Online Security Blog. Retrieved March 11, 2014.
38. "Google launched a new bug bounty program to root out vulnerabilities in third-
party apps on Google Play" (https://www.theverge.com/2017/10/22/16516670/go
ogle-play-security-rewards-program-vulnerabilities-bug-bounty/). The Verge.
October 22, 2017. Retrieved June 4, 2018.
39. "Vulnerability Assessment Reward Program" (https://www.google.com/about/app
security/reward-program/). Retrieved March 23, 2020.
40. Goodin, Dan (November 6, 2013). "Now there's a bug bounty program for the
whole Internet" (https://arstechnica.com/security/2013/11/now-theres-a-bug-bou
nty-program-for-the-whole-internet/). Ars Technica. Retrieved March 11, 2014.
41. Abdulridha, Alaa (March 18, 2021). "How I hacked Facebook: Part Two" (https://in
fosecwriteups.com/how-i-hacked-facebook-part-two-ffab96d57b19).
infosecwriteups. Retrieved March 18, 2021.
42. "Facebook, GitHub, and the Ford Foundation donate $300,000 to bug bounty
program for internet infrastructure" (https://venturebeat.com/2017/07/21/facebo
ok-github-and-the-ford-foundation-donate-300000-to-bug-bounty-program-for-int
ernet-infrastructure/). VentureBeat. July 21, 2017. Retrieved June 4, 2018.
43. "The Internet Bug Bounty" (https://hackerone.com/ibb). HackerOne. Retrieved
March 11, 2014.

6 of 7 10/13/23, 18:28
Bug bounty program - Wikipedia https://en.wikipedia.org/wiki/Bug_bounty_program

44. "DoD Invites Vetted Specialists to 'Hack' the Pentagon" (http://www.defense.gov/

News-Article-View/Article/684616/dod-invites-vetted-specialists-to-hack-the-pent
agon). U.S. DEPARTMENT OF DEFENSE. Retrieved June 21, 2016.
45. "Vulnerability disclosure for Hack the Pentagon" (https://hackerone.com/hackthe
pentagon). HackerOne. Retrieved June 21, 2016.
46. "EU-FOSSA 2 - Bug Bounties Summary" (https://joinup.ec.europa.eu/sites/default/
files/custom-page/attachment/2020-06/EU-FOSSA%202%20-%20D3.1%20Bug%2
0Bounties%20Summary%20Final_0.pdf) (PDF).
47. Dutta, Payel (February 19, 2018). "Open Bug Bounty: 100,000 fixed
vulnerabilities and ISO 29147" (https://www.techworm.net/2018/02/open-bug-bo
unty-100000-fixed-vulnerabilities-iso-29147.html). TechWorm. Retrieved April 10,
2023.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Bug_bounty_program&

oldid=1177269905"

7 of 7 10/13/23, 18:28