Everything You Need to Know about Bug Bounties & How To Get Involved

Ethical hacking might sound contradictory, but leveraging the skills of the ‘white hat’ hacker community has done a great deal for safety and security on the internet. Nowhere does this show more than through so-called bug bounty programs created to tackle different issues within the code. Many bug bounty programs focus on identifying issues within software or applications. However, others focus on server or website vulnerabilities.

The Benefits of Open Source (and Its Primary Challenge)

With the rapid development and sustainable iterations, open-source software (OSS) libraries and frameworks have been in massive demand. There are few traditional proprietary software that can match the fast-track development cycle using OSS.

Additionally, it helps to pull down costs and reduce the time-to-market cycle by cutting down on time needed for custom coding. Instead, it mines existing OSS, which can be quickly shared, modified, and copied.

While proprietary coding is far from dead, OSS now plays a huge role in the market. According to statistics:

• Both LAMP (Linux, Apache, MySQL, and PHP) and MEAN (MongoDB, Express.js, AngularJS, and Node.js) development stacks have become hugely popular,
• Android, one of the most popular Linux kernel operating systems on the market, runs on 85% of the world’s smartphones,
• Linux also powered three quarters of the public cloud workload over the pandemic.
  
  

Statistics on the use of OpenSource suggest up to 70% of the world’s code databases are drawing on OpenSource. That’s impressive, but that means any risk related to OSS use has become critical to tackle. Open source has never been more important in the software community. The time when a vulnerability could come to light a few years later and be tackled then is long past. A fast, responsive debugging is our critical priority. 

What Are Bug Bounties & How Do They Work?

So, how do we incentivize an unpaid, sharing space that brings the coders no revenue to produce results quickly? Cybercriminals are not going to come forward, after all. While many Linux and Open-Source developers take pride in their development and offer fixes as soon as possible, we can’t expect miracles from a product offered for free and often created in the developer’s spare time. 

How Do Bug Bounties Work?

Bug bounty programs have stepped into this role. You’ll find them throughout the ‘Big Tech’ space, including those from Google, Microsoft, Facebook, and Apple, as well as smaller firms.

Bug bounties are programs which pay out to interested parties who find and fix vulnerabilities in open-source code before impacting the platforms using them, adding an additional layer of security to software developed with OSS.

Types of Bug Bounty Programs

Bug Bounties fall into two categories - Private and Public.

Public programs allow anyone who is interested to participate. While some may have specific restrictions based on the participants existing track record or skill level, mostly anyone can report a potential exploit (and fix) to them within the bounty’s guidelines. Some are even offered off of the specific platform, focusing instead on the general body of OS code. 

Private programs work differently. They’re invite-only programs, choosing hand-picked ethical hackers based on their skill level and existing stats. Typically, invitees have already demonstrated great skill in testing the kind of applications the program is focusing on. While some will evolve to a public-style bug bounty later on, some remain private for their entire lifecycle. Many private programs are also specifically focused on critical coding sections of the platform, intending to boost security and limit vulnerabilities in their product offerings.

What Are the Benefits of Bug Bounties?

So, the primary benefit of bug bounties is easy to see. They offer a way to financially incentivize researchers to analyze code, report vulnerabilities, and close them before they become an issue. Critically, they also don’t ‘break’ the primary value of OSS code - it stays free, shareable, and accessible to any party who needs it.

What else do they do?

Public Disclosure

A more hidden side of the business is incentivizing these white-hat hackers to not publicly disclose what they find until the matter is fixed. This means cybercriminals don’t get an advanced warning of the issue until it’s too late to do anything with that information.  

Pay for Results

Bug bounty programs only pay out when a specific chain of reporting and fixing has been followed. This means they don’t incentivize the wrong people to ‘milk the market’ by creating these issues, nor reward bad behavior - only the ethical hacker who closes, rather than exploits, the vulnerability.

Discretion

In some private bug bounty programs, you can even hand-pick who you want to invite to ‘hack’ your product, providing greater control and discretion to the market. Of course, a public program can get results faster, but it can also be overwhelmingly difficult to manage for smaller security teams.

Continual Testing

We’ve emphasized this already, but it bears repeating. Use of a bug bounty program allows programmers and software companies to keep a fresh and vigilant taskforce on the job, meaning that bug loopholes don’t only get identified in Beta, but continuously come to light. This becomes especially helpful as updates and new innovations to older software go live.

Vast Body of Testers

Even the largest companies cannot employ thousands of testers in-house. They can, however, access them through bug bounty programs. They give access to a huge body of willing testers, continually working to better the software and close dangerous loopholes.

Diversity

Working in tandem with our previous point, you also remove almost all bias when you run a bug bounty program. Testers come from wildly different backgrounds, skill sets, and walks of life, across all geographical boundaries. This allows a phenomenal testing pool.

Scalability

Bug bounty programs can be scaled up or down to suit the company. Smaller entities can start gently, but expand their testing if their product gains marketplace traction. You can onboard more expertise at critical times, such as during new updates or product launches, and scale it back when there’s less demand.

Expense

Despite the need to pay out on successful presentation of a solution, bug bounties typically work out cheaper in the long run than in-house testing. They certainly are cheaper than the loss to reputation and customer trust that can come when a critical vulnerability remains live, too.

Skilled Labor

It’s worth mentioning that you’re not paying for unskilled eyes, either. Private bug bounty programs get to hand-pick who they’re working with. Even public programs are working with skilled testers who have to demonstrate that they can close, not just identify, loopholes. So you’re always using the right people for the job.

Control

This also places a great deal of control in the hands of the company running a bug bounty. You set the rules, and the ethical hackers engaging with your product come to you with the solutions. You can choose how long the program runs, what sort of bugs are being tested for, what you pay out for, and a lot more.

One single bug bounty program- the Internet Bug Bounty- has managed to uncover over a thousand defects in existing open-source programs, paying out a combined total of $750,000 to the hackers that came forward. On average, each bounty netted $500-$750, although some high-end bounties have capped at $25,000 for particularly lucrative loopholes. They’ve even used a ‘bragging rights’ billboard as extra incentive.

Closing the Door on Open Source Loopholes with Bug Bounties

Fortunately, Open Source software has the support of a very robust and engaged programming community. They’re already engaged in making open source solutions faster, more effective, efficient, and secure.  

Bug bounties, however, offer an additional bonus for achieving results fast. They’re also a great way for an app, API, or other software to ensure it’s offering its customers only the best security in robustly examined and policed software, eliminating one of the biggest concerns with using OSS in the first place. 

What Are Some Notable Vulnerabilities that Were Fixed as a Result of a Bug Bounty?

Part of the allure of an effective bug bounty program is that we never hear exactly what was fixed. Or, if we do, we only hear about it years after the exploit was live. While the results of ethical hackers’ hard work go live almost daily, part of the idea is that we never know quite what the original exploit was.

However, one key bug bounty-created solution was the recent vulnerability patch released by Microsoft surrounding the CVE-2022-26904, which was uncovered as part of joint information shared by CrowdStrike and the US National Security Agency. This particular fix tackled a privilege escalation issue that allowed a ‘win a race condition to fall over into exploitation.

In fact, a high number of the fixes now being released by Microsoft as part of their ‘Patch Tuesdays’ updates have been found through Microsoft-specific bug bounty programs. Multiply that by the many software and API updates going live daily, and you have a great idea of how important a solid bug bounty program can be to both companies and their end users.

What Is Coordinated Vulnerability Disclosure?

Coordinated vulnerability disclosure (CVD), formerly known as responsible disclosure, is a system for disclosure of vulnerabilities or flaws to the public after patches or remedies have been issued. This coordination distinguishes the CVD model from the "full disclosure" model. 

Because software developers often require time and resources to repair their mistakes, ethical hackers find these vulnerabilities. Hackers and cybersecurity experts consider it their social responsibility to make vulnerabilities public knowledge as hiding problems could cause a feeling of false security. To avoid this, those involved arrange a specific amount of time to repair the vulnerability. The time needed for an emergency fix or workaround depends on the potential impact of the vulnerability, ranging from a few days to several months.

The market for bug bounties has developed over recent years, sparking heavy debate over the ethics of monetizing vulnerability reports. Some security experts have the expectation of compensation while others view this as extortion.

How Do I Get Started with a Bug Bounty? What Skills Do I Need?

Wondering how to get started with bug bounties? Obviously, participating in a bug bounty program needs a wealth of specialist knowledge. Participants need a solid grounding in computer networking, web technologies and protocol, and security mechanisms. This includes a solid grounding in security practices (and their hacking bypasses), common vulnerabilities in applications and the web, and how to find them. 

You will also need the skill set to patch and prevent these vulnerabilities, so most bug bounty program participants are either coders themselves, or the so-called ‘ethical hackers’ who test their coding boundaries with the aim to help resolve, rather than exploit, them. Remember that these are ever-evolving skill sets, and you will need to stay up-to-date on current industry trends and changes. If you’re starting from scratch, there are bug bounties for beginners resources you can use to start honing your skills. 

From there, most potential program participants will start in public bug bounty programs to build and polish their skills. Bug bounties lists are pretty easy to find. There’s even a bug bounties Reddit sub to explore! So it’s less a case of where to find bug bounties, and more.  

Focus on companies with bug bounties for software you feel most confident in. Earning a reputation in public programs is often the key first step to being invited to private programs.

Is There Training on How to Get Into Bug Bounties?

Yes, there are! If you’re brand new to the idea, but keen to get started, there are some quality resources you can use to help you get going.

Books & e-Books

Believe it or not, there’s a wealth of traditional book and e-book resources that can break you into the basics of ethical hacking. Kevin Mitnick’s Ghost In The Wires: My Adventures as the World’s Most Wanted Hacker, The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws, and Peter Yarworski’s Web Hacking 101: How to Make Money Hacking Ethically are three great places to get started if you like this learning format. There’s plenty more.

Training Courses

Many sites also offer training on ethical hacking, especially now that bug bounties have taken off. Of course, you’ll want to do your due diligence and make sure you aren’t forking over cash without vetting the true credentials of the learning portal. Here’s some tuition providers with the experience to back their claims:

• Bug Bounty Hunting on YouTube
• 100 Bug Bounty Training Lessons
• Portswigger’s Web Security Academy
• SANS Cybersecurity Roadmap from the SANS Institute

[Would you like to be listed here? Send us a note at This email address is being protected from spambots. You need JavaScript enabled to view it.]

Many providers also offer YouTube videos that can help you, and you will find some other helpful resources on YouTube, too. You may find other course providers you like the look of. Just remember to check their credentials!

Gaining Experience on How to do Bug Bounties

Once you’ve cracked the basics, you’ll need to practice- a lot- to get good enough to start seeing a profit. All the technical learning in the world doesn’t help if you don’t have the field experience.

We particularly like sites that offer you the chance to ‘capture the flag’. In other words, test your diagnostics in finding and exploiting vulnerabilities while learning what you need to take those skills into the real world. 

Hack the Box is perhaps one of the best known examples live at the moment. Hack This is also nice, as they have phased their testing grounds over 50 levels, so you can work your way up to more complicated tests as your skills grow. Google Gruyere (yes, it’s named for the cheese) is another highly recommended site, covering everything from CSS issues to DNS issues.

Obviously, these three only scratch the surface of the learning tools available to you. There’s plenty out there to explore, so don’t be shy!

Are There Rules When Getting Started with Bug Bounties?

The only strict rules you need to follow are those set out by any bug bounty program you join. However, there are some smart ‘rules’ it’s best to follow if you’re new to the bug bounty scene.

Choose the Right Program

This isn’t a fun game of chance. You’re leveraging your skills to find exploits. So you don’t want to go in willy-nilly and hope for the best. Spend some time choosing an application you truly understand. Make notes and work through suspicious endpoints methodically. And don’t waste your time on programs that only need surface level engagement. Almost anyone can find those. Deep dives are where the profitable bounties lie.

Do Your Research

Hand in hand with this methodical approach is doing some research. Read the program documentation. Understand its functionalities and the privileges target users have. This way, you have a real chance of finding something that isn’t obvious to everyone trying for the same thing.

Don’t Get Overenthusiastic

It’s exciting to hear about big paydays, but don’t build your hopes on them. Remember the old saying about putting all your eggs in one basket. This is neither a fast nor an automatically lucrative arena. Rather put in the work to hunt bugs as you find them then banking on one being your major payday. 

Don’t Stop Learning

Your skills are only useful while they’re up-to-date, and software changes all the time. Remember that bug hunting is building a skillset that’s very valuable, too, so it’s never wasted, even if you don’t get the payout. Learn how applications work, how they flow, and the programming language they’re built on, and accept that you have to keep these skill sets current, too. It’s never one-and-done.

Follow Other Hackers

Stay abreast of developments in the wider world of ethical hacking, too. You can follow the HackerOne leaderboard, watch tweets from top players, find out what’s been disclosed and where the action is happening, and even leverage Bug Bounty World on Slack to chat with fellow ethical hackers, learn new tools, and stay current.

Work Smarter, Not Harder

Automating vulnerability checks frees up a lot of time, but will need you to learn a programming language to script with. A little work now could cut down on a lot later.

Understand the Bug Bounty

Each program is a little different. Make sure you know where to submit and what details they require. Understand how long it may be to hear back, and what bugs are eligible under the program. Some programs may even be closed on the basis of geographical location or other factors. Before you put in the effort, make sure you understand what you need to do, so you don’t waste your time.

How Much Do Bug Bounties Pay?

If you were hoping to earn a bug bounties salary, then you might need to think again. Getting started with bug bounties can be a great way to earn the odd incentive, but you will need to put a lot of time and effort into building your reputation before it replaces a full-time job.

It’s not meant to be a replacement for paid work, of course, but some top-earning hackers have closed over $1 million in bounties, and even smaller rewards can encourage them to tackle security concerns. On average, however, expect anything from $250 upwards per successful loophole closed.

Keen to know some big payouts? Try these:

• In 2018, Oath Inc paid out $400,000 to 40 participants in their H1-415 event. Verizon media later spent the same again between hackers who helped them close 159 other critical vulnerabilities.
• Microsoft’s biggest single payout to-date was $200,000 to Vasilis Pappas in 2012, but they’ve spent over $2 million on bug bounties.
• Google, with a bug bounty program spanning a decade, has topped $15 million in payouts, with the largest single payment being $41,000
• Facebook has a similar milestone at $40,000 for one single bounty, and has spent over $7.5 million to date

Do All Bug Bounty Programs Pay?

We’ve spent a lot of time talking about bug bounty programs that pay out- but it’s important to realize there’s a huge Open Source community dedicated to improving security for the sake of making the world a better place, not just enhancing one application or software company’s product. Sometimes called non-profit bug bounties, they’re just as important to the wider security net of using OS code as their paid partners, and can be a rewarding space to work in. 

One of the best known platforms for this form of bug hunting is the Open Bug Bounty Program, which acts as a clearinghouse for many OS products, so feel free to check them out. 

They currently co-ordinated 1,300 active bug bounty programs, using 22,000 ap[proved security researchers. So far, they’ve clocked over one million disclosures, and over half a million vulnerability patches have been dispatched through their efforts. 

Unlike many paid programs, which lean heavily into the penetration testing landscape, these programs typically remain focused on vulnerability and security testing. If you, too, would like to become a cybersecurity expert working for the best of the wider coding world, this could be the perfect space for you.

Remaining Problems

This doesn’t mean that bug bounties eliminate all security concerns. Some vendors are simply not committed to staying up-to-date with updates and applying robust security procedures. It also doesn’t help if later software versions have closed the vulnerabilities, if firms don’t proactively work to deploy those fixes or if their user base is never encouraged to update the software.

However, that’s an issue faced by proprietary software too. We only need to look at the variety of consumers who never apply basic security updates to Windows to see what a failure on the end-user side can bring. However, this is an entirely different side of the coin and requires other strategies to fix. 

Final Thoughts on Bug Bounties

Running effective bug bounty programs remains a great way to tackle open source’s biggest issue - a slowed response to vulnerabilities created not through disinterest but simply the large volume of code offered freely.

With even the European Union stepping in to incentivize hackers through bug bounties, we’re creating a safer, better online environment. Alongside organizations and consumers maintaining regular security deployments and keeping software up-to-date, bug bounties can be a valuable tool in ensuring a safer, better world for all users.