Getting Paid for Breaking Things: The Fundamentals of Bug Bounty

According to the latest Software Fail Watch report released by Tricentis, companies all over the world lost $1,7 trillion last year over software failures and vulnerabilities. Such tremendous losses incentivize businesses to increase spending on software testing. Companies are expanding their staff with professional testers and invest significant amounts of money in automated testing systems.

There is one more initiative that organizations spare no expenses in funding – bug bounty programs. Major high-tech corporations, including Google, Facebook and Apple, and even governments pay white hat hackers for discovering vulnerabilities in their software. Let’s have an insight into the history and evolution of this phenomenon.

The practice of spotting loopholes in security systems had appeared long before the first software was developed. In the 19th century, a British manufacturer of door locks offered 200 golden guineas, which would be currently worth about $20,000, for breaching one of their products. American inventor Alfred Charles Hobbs then took up the challenge and managed to pick the lock within 25 minutes, getting the award as promised.

More than a century later, companies’ security concerns have shifted to the digital domain. Software vulnerabilities that can be exploited by perpetrators have become an issue at least as serious as insecure door locks. It is believed that the first initiative in IT where enthusiasts were offered a reward for finding vulnerabilities was an ad by Hunter & Ready. The company was developing a real-time operating system called VRTX and promised a brand-new Volkswagen Beetle to anyone who would find a bug in it. The winners, though, could optionally take the cash amounting to $1,000.

A number of high-profile hacker attacks had taken place by mid-90s, and the modern IT security industry came into existence. Back in the day, the first web browsers were gaining momentum, with the (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by David Balaban. Read the original post at: