Bug bounty programs have increased significantly in popularity and use over the last several years and for good reason — they’re sexy, offering cold hard cash and the opportunity for cybersecurity experts to play detective for a good cause.
More and more organizations are adopting these initiatives to tap into a vast resource of researchers who dedicate their time to finding and examining vulnerabilities that pose a potential threat in the wrong hands.
Their incentive is not only the opportunity to secure sometimes hefty sums of money for the safe and responsible disclosure of certain unknown/unsecured exploits but also the chance to gain recognition as discoverers of security weak spots that could have led to substantial data breaches or other incidents.
Bug hunting for a bounty is an innovative cybersecurity approach
Bug bounty programs are a relatively new and innovative approach in the conventional cybersecurity landscape. They complement other solutions to bring continuous security testing, discovery of real/high-impact security vulnerabilities, and collaboration with an international community of ethical hackers, Fabien Lemarchand, VP of platform and security at online marketplace ManoMano, tells CSO. Lemarchand co-created Hack4Values — a global bug-hunting program for non-governmental organizations (NGOs) and nonprofits.
“Bug bounty programs are a response to the current challenges facing organizations in the face of cyber threats: lack of security experts, lack of efficiency, lack of understanding of the exponential growth in cyber threats,” he says.
There’s no such thing as zero risk, but by engaging with bug bounty schemes, organizations can think like an attacker, rather than a defender, Lemarchand adds. They bring an offensive approach to traditionally defensive cyber strategies that puts people and ethical hacking at the heart of cyber strategies.
“Every discovery made by an ethical hacker during a bug bounty program will be real and relevant to your security strategy, as well as the protection of your information systems and their users.” They can provide a clear return on investment too — an understandable resource for developers and other business teams, Lemarchand says. “It is a transparent and clear way of highlighting the value of cybersecurity.”
Here are 12 notable programs launched in 2023.
US DoD announces third Hack the Pentagon program
In January, the US Department of Defense (DoD) revealed plans to launch the third iteration of its Hack the Pentagon bug bounty program, first unveiled in 2016 and repeated in 2018. A key aim of Hack the Pentagon 3.0 is to unleash white-hat hackers on the government’s Washington Headquarters Services (WHS) Facilities Services Directorate (FSD) Facility Related Controls System (FRCS) network, according to a draft performance work statement.
“The overall objective is to obtain support from a pool of innovative information security researchers via crowdsourcing for vulnerability discovery, coordination and disclosure activities and to assess the current cybersecurity posture of the FRCS Network, identify weaknesses and vulnerabilities, and provide recommendations to improve and strengthen the overall security posture,” the statement read.
Researchers must be diverse in skillset and able to conduct source code analysis, reverse engineering, and network and system exploitation, it added.
Malwarebytes offers payouts for confirmed vulnerabilities
In March, anti-malware vendor Malwarebytes announced it was offering payouts of between $50 and $2,000 for confirmed vulnerabilities. Those posing a remote code execution (RCE) risk to Malwarebytes’ web properties or customers running its endpoint protection software, or that could lead to the takeover of AWS cloud infrastructure, would attract the greatest rewards, the firm said.
“Now we’re doing so much more than just malware remediation. We’ve forged ahead into the world of cyber protection, privacy, and beyond,” the vendor wrote. “Malwarebytes looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.”
OpenAI supports development of safe and advanced AI
In April, ChatGPT creator OpenAI launched a new bug bounty program to support the development of safe and advanced AI. “We invite you to report vulnerabilities, bugs, or security flaws you discover in our systems. By sharing your findings, you will play a crucial role in making our technology safer for everyone,” the company said.
OpenAI partnered with leading bug bounty platform Bugcrowd to manage the submission and reward process, which it said is designed to ensure a streamlined experience for all participants.
“To incentivize testing and as a token of our appreciation, we will be offering cash rewards based on the severity and impact of the reported issues,” OpenAI wrote. Rewards range from $200 for low-severity findings to up to $20,000 for exceptional discoveries.
In May, LayerZero Labs, the team that launched the leading cross-chain messaging protocol LayerZero, announced the launch of a new bug bounty program in partnership with Immunefi, the bug bounty and security services platform for Web3.
The pair called the program the “largest in the history” of the software industry and shows a commitment to security as well as the developers and users in the LayerZero ecosystem. LayerZero Labs revealed it would be offering a maximum reward of $15 million for each new vulnerability found by participants who uncover vulnerabilities at the highest severity level.
“Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported,” wrote Immunefi.
Third edition of The Good Catch program protects Democratic tech vendors
In June, three political tech organizations — Higher Ground Labs, Trestle Collaborative, and Zinc Collective — opened applications for the third edition of The Good Catch, a bug bounty program dedicated to Democratic tech vendors. The program ran during the 2020 and 2022 election cycles, and this cycle’s program will run up until next year’s US presidential election, Matt Hodges, executive director at Zinc Collective’s Democrat-focused political tech lab, told Axios.
Participating tech vendors create an account on Federacy, an online program that manages bug bounty programs for organizations. Each company signed up keeps its program private by default, meaning only vetted researchers will be invited to participate. Participating vendors can also decide to open their bug bounty programs to the entire platform. Once their programs are up and running, vendors receive reports of potentially exploitable security flaws on their systems, which they’ll need to verify on their own.
If requested, the program can provide vendors with general advice about how to stand up their security programs and can recommend other consultancy firms to help with more nuanced questions.
SquareX invites bug hunters to hack-test browser-based cybersecurity product
In June, endpoint security vendor SquareX announced a bug bounty program to invite hackers, security researchers, technologists, and students to hack-test its browser-based cybersecurity product and find security vulnerabilities in it before its launch.
To incentivize and reward bug hunters, SquareX offered rewards totalling up to $25,000 for successfully discovered, reported, and qualified vulnerabilities. The program spanned six weeks from June 15, 2023, to July 27, 2023, with hunters encouraged to help battle-test and harden the product.
“We invite the global hacker community to participate in this bug bounty program and help us discover vulnerabilities. I hope in doing so, we will be able to launch a world-class cybersecurity product that consumers can use and be fearless online,” said Vivek Ramachandran, founder of SquareX.
Upon closure of the program, SquareX said it witnessed an impressive influx of hunters, particularly from India, the USA, and Germany, who launched thousands of automated scans and targeted attacks on its product. However, even with the incentives in place and the doubling of the prize money, SquareX reported that zero critical bugs were discovered during the process.
Swisstronik offers up to $31,000 per discovered bug
In August, Swisstronik, the layer-1 network for building regulatory-compliant dApps with enhanced data privacy, announced the launch of its first bug bounty program with rewards reaching $31,000 per bug.
Swisstronik said that participants will help the firm become a secure bridge between the traditional world with its regulatory requirements and the Web3 world with its high privacy and decentralization standards. “As a result, developers can contribute to a more balanced Web3 in which KYC and other user verifications do not result in personal data loss or reliance on centralized parties, and help boost the overall blockchain adoption.”
Protect AI launches huntr AI/ML bug bounty platform
In August, Protect AI announced the launch of the “world’s first” AI and machine learning bug bounty platform, huntr. The firm said the launch enables the cultivation of a robust community of security researchers dedicated to uncovering vulnerabilities and providing remediations within AI/ML packages, libraries, frameworks, and models.
“As part of our program, it is important that all contributors receive the recognition they deserve. Once a vulnerability has been fully disclosed, acknowledged by the maintainer, and subsequently patched, we credit all contributors involved for their crucial work in the process,” Protect AI said.
The platform hosts monthly contests providing researchers opportunities to showcase their skills and earn rewards. The inaugural contest on the huntr AI/ML bug bounty platform focused on Hugging Face Transformers, presenting a reward of up to $50,000.
Free bug hunting program for NGOs, nonprofits expands across Europe
In July, Hack4Values announced the expansion of its free bug-hunting program for NGOs and nonprofits across Europe. First launched in France in 2022, the Hack4Values platform is an online community comprised of ethical hackers and security researchers committed to creating a safer digital world for all NGOs and their beneficiaries.
The program offers NGOs and nonprofits a free platform audit to help identify the security risks they face, with the Hack4Values community also providing solutions to help these companies keep their data secure from cyber threats.
Since launching, over 50 ethical hackers who have volunteered for Hack4Values have provided bug bounty programs for 10 NGOs including Amnesty International and Action Against Hunger.
Yahoo picks Intigriti to run crowdsourced security program
In September, Yahoo announced a partnership with global crowdsourced security firm Intigriti to launch a new public bug bounty program. The program covers Europe and is open to the 75,000 ethical hackers who are registered on the Intigriti platform, along with anyone else who wishes to take part.
Payout rates are on a scale that’s proportional to potential impact, Yahoo and Intigriti said. Researchers can earn between $100-$500 for low-ranked vulnerabilities, up to $10,000 for high-rated flaws, and between $10,000-$15,000 for any critical issues discovered. The program also offers ethical hacking teams generous cash rewards for topping the leaderboard in select Capture The Flag (CTF) competitions, a move that aims to attract top cybersecurity talent and foster collaboration among ethical hackers.
“Expanding our bug bounty program with Intigriti gives us a bigger outreach to the global ethical hacker community. We want to cater to as many people as possible and provide the best service possible to our users,” commented Arjun Govindaraju, technical principal security engineer at Yahoo.
Nearly 70 assets are in scope under the program, including Yahoo’s high-value web domains, APIs, and Search services, along with Yahoo Shopping, Yahoo Mail, and media brands Yahoo News, and Yahoo Sports.
Cryptocurrency exchange Uniswap unveils four-tier program
In September, decentralized cryptocurrency exchange Uniswap initiated a new bug bounty program featuring a four-tier severity scale that is critical, high, medium, and low/informational. Uniswap said it would be offering rewards of up to 2,250,000 USD Coin, depending on the severity of identified bugs and assets at risk, according to The Crypto Times.
The program covers vulnerabilities and bugs in smart contracts that are deployed by Uniswap, which can be found in various GitHub repositories including the Universal Router Contract Code, Permit2 Contract Code, V3 Contract Code, and UniswapX Contract Code.
Google expands program to include generative AI security issues
In October, Google announced that it is expanding its bug bounty program to include generative AI-specific security issues. Expanding to reward for attack scenarios specific to generative AI will “incentivize research around AI safety and security, and bring potential issues to light that will ultimately make AI safer for everyone,” said Laurie Richardson, VP of trust and safety, and Royal Hansen, VP of privacy, safety and security engineering at Google.
The tech giant also announced it would be expanding its open-source security work to make information about AI supply chain security universally discoverable and verifiable.
Google’s engineering team posted a list of AI attack scenarios that are eligible for rewards. These include prompt attacks, training data extraction, manipulating models, adversarial perturbation, and model theft/exfiltration.