Bug Bounty is a crowdsourcing system designed to reward responsible disclosure of software vulnerabilities. The system allows individuals, organizations, and companies to intentionally reward researchers and security experts for finding and reporting insecurities in their software, often through an online bounty program. It is an increasingly popular security resource, particularly for software producers.
In traditional bug bounty programs, a security professional or hobbyist will actively seek out security vulnerabilities, often aided by automated web scanners and source code analysis. Once discovered, they will typically contact the vendor in order to archive a mutually accepted reward. These rewards can range from a few credits to larger rewards, with some companies offering rewards in the tens of thousands of dollars.
In addition, bug bounty services are often used by developers and software vendors as an alternative to costly penetration testing. In comparison to traditional pen testing methods, bug bounty programs provide cost savings for software producers, while still ensuring that potential vulnerabilities are identified and addressed in a timely manner.
With its increasing popularity, bug bounty programs are also gaining traction in the government and corporate sector. By utilizing the crowd, bug bounty programs increase potential reach of their security testing, with the belief that the wider the network of possible reporters, the more vulnerabilities that can be uncovered.
Overall, bug bounty programs are designed to motivate and empower members of the public to improve the security of software and hardware on the internet. By providing rewards for responsible disclosure, bug bounty programs encourage vulnerability reporters of all skill levels to help protect against threats that could otherwise go unnoticed.