Microsoft ((MSFT)) will pay software researchers a hefty bounty for finding security threats. In some cases, even up to $26,000.
The software behemoth will pay the bounties for submissions that “have the highest potential impact on customer privacy and security,” Microsoft said in a blog post.
Giving out rewards is common in the information security industry because the quality assurance team of software manufacturers are not expected to catch everything, Tim Maliyil, CEO of Las Vegas-based cybersecurity services firm AlertBoot, told TheStreet.
“The bug bounty program incentivizes talented people outside of an organization to find issues,” he said. “The result is a better and more secure product in the long run.”
Why Bounties Are Needed
Between responding to phishing attacks and implementing the best practices for cloud security, the security teams are overburdened.
Davis McCarthy, principal security researcher at Valtix, a Santa Clara, Calif-based provider of cloud native network security services, told TheStreet that many hackers are game to catch bugs.
“Cybercrime is lucrative," he said. "Would you rather reward someone who closes your front door or find out later they robbed you?”
Hacking has turned into a full blown industry and data is the new commodity, whether on Wall Street or in the underground, he said.
“Cybercriminals monetize passwords, remote access to corporate networks, exploits and botnets,” McCarthy said.
Bug bounty programs can be effective cybersecurity tools that provide a good "bang for the buck," Rick Holland, chief information security officer at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, told TheStreet.
“These programs extend defenders' vulnerability management strategy by complementing internal efforts,” he said. “Companies can outsource the triage and management of vulnerability disclosure to a third party.”
Bug bounty programs represent a detente between vulnerability researchers and software companies, John Bambenek, principal threat hunter at Netenrich, a San Jose, Calif.-based digital IT and security operations company, told TheStreet.
In the past, the vulnerabilities were sometimes disclosed publicly and companies threatened researchers with prosecution.
The bounties are a solution for both security researchers and companies, he said.
“This allows for researchers to do what they love and make money for their time,” Bambenek said. “It won’t be as much as spy agencies would pay, but you get to keep your soul.”
While bug bounty programs are not perfect, they do give researchers some incentive to hunt for flaws “knowing they can be rewarded for their efforts with more than just bragging rights,” Mike Parkin, a senior technical engineer at Vulcan Cyber, a Tel Aviv-based provider of SaaS for enterprise cyber risk remediation, told TheStreet.
Who Are Companies Paying?
Some hackers remain white hat ones because they find the problems, but don't exploit them and have no expectation of compensation, Maliyil said.
The black hat ones will exploit security issues by extorting and/or stealing from users of the product with the flaw, he said.
The other type is the red hat hackers that are closer to being white hat hackers, but with a vigilante twist, Maliyil said.
“They will also take matters into their own hands to stop black hat hackers such as Anonymous, a famous group of hackers, in taking down Russia's ability to attack others,” he said. “They are stealing whatever intel they can steal from Russian servers. Imagine Batman being a computer nerd.”
Hackers can be “fluid” in their actions, Maliyil said.
“Yeah, I can be a bad guy, but I'm acting like a white hat hacker if I'm reporting the bugs or exploits to the software manufacturer,” he said.
The bottom line is that software manufacturers only pay the person reporting the bug if they find value in what was given to them.
“The hacker didn't break the product,” Maliyil said. “They only found an exploitable issue of the product, which is the manufacturer's fault at the end of the day.”
Some companies could be paying the hackers themselves, but the end result is still beneficial, Bambenek said.
“They are paying hackers,” he said. “You can’t guarantee morality is an absolute, however, if bad people are doing the right thing for the wrong reason, it’s still a win for society.”
The payouts for bug reports can sometimes exceed six figure sums, but the good security researchers should also profit, Ray Kelly, a fellow at NTT Application Security, a San Jose, Calif.-based provider of application security, told TheStreet.
“It may sound like a lot,” he said. “However, the cost for an organization to remediate and recover from a zero-day vulnerability could total millions of dollars in lost revenue.”
Do Bug Bounties Work?
The financial rewards do work, Casey Ellis, chief technology officer at Bugcrowd, a San Francisco-based crowdsourced cybersecurity company, told TheStreet.
“They work so much so that we've coined the phrase ‘oh crap moment’ within Bugcrowd,” he said.
Most companies and organizations believe they are secure, but the bug bounties reveal quickly that these vulnerabilities can be discovered by people with no insider knowledge.
The researchers reporting the bounties have the right skill set and incentive to activate the work.
“If an organization is ready to focus on mitigating the risks that matter the most, bug bounty programs unequivocally work to inform where that effort should be directed next in order to reduce risk because they mimic the adversary's incentives, capabilities and behavior,” Ellis said.
Bug bounties are a “great way” to expose an organization's flaws, Brian Contos, chief security officer of Phosphorus Cybersecurity, a Nashville-based IoT security company, told TheStreet.
“This approach can quickly and inexpensively identify vulnerabilities,” he said.
The number of vulnerabilities and the criticality of those vulnerabilities generally dictates the amount of the bounty.
“Because there is financial compensation for those individuals testing these systems they are well motivated to deliver accurate, timely work,” Contos said.
Who Offers Bounties
Large companies will offer these rewards and even government agencies have jumped on the bandwagon.
The Department of Homeland Security launched a program in December 2021, but the compensation is much lower and ranges only from $500 to $5,000.
The larger companies are usually the ones who can afford to offer more lucrative bounties, Maliyil said.
“Their large user base means people will try to exploit their products anyway,” he said. "They might as well compensate the people who find legitimate problems. One could probably argue this is much more cost-effective and efficient than solely trying to maintain a staff of dedicated exploit hunters.”
While software companies are the most common ones to provide financial incentives, but Bugcrowd also works with banks, payment card processors, automotive and aviation companies, and even the Departments of Defense and Homeland Security, Ellis said.
Technology companies that don't offer bug bounty programs are already behind the curve, Holland said.
“Given that almost all companies are technology companies, most public-facing ones should have vulnerability disclosure or bug bounty programs,” he said.
