With the growing number of security breaches and cyber attacks in our daily life, more friendly hackers are making a living from finding software flaws before malicious ones do.
The profession of bounty hunter, which has long fed the imagination of Hollywood, is legal in the U.S., where ordinary citizens can search for bail jumpers.
Fugitive recovery agents, to exercise their craft, need a strong heart, negotiation skills, and, if necessary, martial arts skills and weapons to subdue their target.You can get $31,000 from #Google for finding bugsClick To Tweet
Yet, on the Internet, bounty hunters pretty much just have to be skilled with coding. There is another breed of bounty hunters who, instead of apprehending criminal fugitives, hunt “bugs”, or flaws in company security software, for handsome rewards.
How Bug Hunting Started
It all started with Netscape, which on Oct. 10, 1995, rolled out the first-ever bug bounty program to reward users who could identify security bugs in its Navigator 2.0 Beta.
Seven years later, iDefense was the second to offer a reward for a “middleman” who would report bugs in third-party software.
In 2004, the Mozilla Foundation created its own bounty, offering up to $500 USD in rewards to those who find critical vulnerabilities in the Firefox browser.
TippingPoint was the second company to launch a “middleman” bug bounty program, in 2005, known as the Xero Day Initiative.
Then, in 2007, the Zero Day Initiative (ZDI) launched the famous Pwn2Own competition, where participants had to search for security vulnerabilities in the main operating systems and internet browsers available back then, competing for a superlaptop and $10,000 cash.
ZDI just celebrated the 10th anniversary of Pwn2Own, holding the Pwn2Own 2017 in March at the CanSecWest 2017 Conference in Vancouver, Canada. The contest was extended to include five categories that reflect security trends in computing space, this time with over $1,000,000 USD in rewards.
Friendly Hackers to Make Internet Safer
Since Netscape’s first bug bounty program back in the 1990’s, the world and computing have drastically changed. Now, we’re at the age of cloud computing, digital currencies, and the Internet of Things is, well, a thing. The “hackable” zone has become so vast that it led to the rise of large-scale malware attacks that we’ve never seen before (read about the Equifax hack and Yahoo’s super breach).
In recent years, bug bounty hunting has become a common practice among whitehat hackers who found a legit way to put their “dark” skills to good use and make some cash.
Google is all over the web with its apps, services, and tools that are not exempt from the natural vulnerabilities that come with coding something. In 2010, Google launched its bug bounty program, now known as the Google VRP (Vulnerability Reward Program).
For rewards ranging from $100 to $31,000 USD, security experts all over the world are called to look for qualifying security bugs in all Google-owned products under these domains: google.com, youtube.com, and blogger.com.
A year later, in 2011, Facebook launched its bug bounty program, Facebook Whitehat, offering minimum rewards of $5,000 with no upper limit.
The Internet Bug Bounty is an international program sponsored by five companies and organizations: Facebook, Microsoft, Ford Foundation, HackerOne, and GitHub, with a management panel of volunteer security researchers.
The IBB program rewards (with cash prizes of $5,000 USD for a qualifying bug) “friendly hackers” for spotting security vulnerabilities in the internet infrastructure that can affect the wide public.
The U.S. Department of Defense also holds its own bug bounty competitions (the U.S. Navy’s Hack Our Ship Program is one good example).