Bug bounty program

History

The original "Bugs Bounty" program was the creation of Jarrett Ridlinghafer while working at Netscape Communications Corporation as a technical support Engineer.

Netscape encouraged its employees to push themselves and do whatever it takes to get the job done and, in late 1995, Jarrett Ridlinghafer was inspired with the idea for, and coined the phrase, 'Bugs Bounty'.

He recognized that Netscape had many enthusiasts and evangelists for their products, some of whom to him seemed even fanatical, particularly for the Mosaic/Netscape/Mozilla browser. He started to investigate the phenomenon in more detail and discovered that many of Netscape's enthusiasts were actually software engineers who were fixing the product's bugs on their own and publishing the fixes or workarounds:

Ridlinghafer thought the company should leverage these resources and sat down and wrote out a proposal for the 'Netscape Bugs Bounty Program', which he presented to his manager who in turn suggested that Ridlinghafer present it at the next company executive team meeting.

At the next executive team meeting, which was attended by James Barksdale, Marc Andreessen and the VPs of every department including product engineering, each member was given a copy of the 'Netscape Bugs Bounty Program' proposal and Ridlinghafer was invited to present his idea to the Netscape Executive Team.

Everyone at the meeting embraced the idea except the VP of Engineering, who did not want it to go forward believing it to be a waste of time and resources. However, the VP of Engineering was overruled and Ridlinghafer was given an initial $50k budget to run with the proposal and the first official 'Bugs Bounty' program was launched in 1995.

The program was such a huge success that it is mentioned in many of books about Netscape's successes.

Incidents

In August 2013, a Computer Science student named Khalil used an exploit to post a letter on the Facebook timeline of site founder Mark Zuckerberg. According to the hacker, he had tried to report the vulnerability using Facebook's bug bounty program, but because of the vague and incomplete report the response team told him that his vulnerability was not actually a bug.

Facebook started paying researchers who find and report security bugs by issuing them custom branded “White Hat” debit cards that can be reloaded with funds each time the researchers discover new flaws. “Researchers who find bugs and security improvements are rare, and we value them and have to find ways to reward them,” Ryan McGeehan, former manager of Facebook’s security response team, told CNET in an interview. “Having this exclusive black card is another way to recognize them. They can show up at a conference and show this card and say ‘I did special work for Facebook.’” In 2014, Facebook stopped issuing debit cards to researchers.

India, which has the second largest number of bug hunters in the world, tops the Facebook Bug Bounty Program with the largest number of valid bugs. "Researchers in Russia earned the highest amount per report in 2013, receiving an average of $3,961 for 38 bugs. India contributed the largest number of valid bugs at 136, with an average reward of $1,353. The USA reported 92 issues and averaged $2,272 in rewards. Brazil and the UK were third and fourth by volume, with 53 bugs and 40 bugs, respectively, and average rewards of $3,792 and $2,950", Facebook quoted in a post.

Yahoo! was severely criticized for sending out Yahoo! T-shirts as reward to the Security Researchers for finding and reporting security vulnerabilities in Yahoo!, sparking what came to be called T-shirt-gate. High-Tech Bridge, a Geneva, Switzerland-based security testing company issued a press release saying Yahoo! offered $12.50 in credit per vulnerability, which could be used toward Yahoo-branded items such as T-shirts, cups and pens from its store. Ramses Martinez, director of Yahoo's security team claimed later in a blog post that he was behind the voucher reward program, and that he basically had been paying for them out of his own pocket. Eventually, Yahoo! launched its new bug bounty program on October 31 of the same year, that allows security researchers to submit bugs and receive rewards between $250 and $15,000, depending on the severity of the bug discovered.

Notable programs

In October 2013, Google announced a major change to its Vulnerability Reward Program. Previously, it had been a bug bounty program covering many Google products. With the shift, however, the program was broadened to include a selection of high-risk free software applications and libraries, primarily those designed for networking or for low-level operating system functionality. Submissions that Google found adherent to the guidelines would be eligible for rewards ranging from $500 to $3133.70.

Similarly, Microsoft and Facebook partnered in November 2013 to sponsor The Internet Bug Bounty, a program to offer rewards for reporting hacks and exploits for a broad range of Internet-related software. The software covered by the IBB includes Adobe Flash, Python, Ruby, PHP, Django, Ruby on Rails, Perl, OpenSSL, Nginx, Apache HTTP Server, and Phabricator. In addition, the program offered rewards for broader exploits affecting widely used operating systems and web browsers, as well as the Internet as a whole.

In March 2016, Peter Cook announced the federal government's first bug bounty program, the "Hack the Pentagon" program. The program ran from April 18 to May 12 and over 1400 people submitted 138 unique valid reports through HackerOne. In total, the US Department of Defense paid out $71,200. In June, the Secretary of Defense, Ash Carter, met with two participants, David Dworken and Craig Arendt, to honor them for their participation in the program.