The risks of bug bounties

Bug bounty programs have been around since at least 1995, when it is believed Netscape launched the first one. The latest is the refresh of Twitter’s, which promises at least US$140 to those who find vulnerabilities in the social network’s online, iOS and Android apps.

Canada’s OpenText, Google, Microsoft, Facebook, YouTube, and Yahoo are among the major companies to offer bounties with cash or recognition. The idea of rewarding people for funding bugs in their applications is considered so worthwhile by vendors that San Francisco-based acts as a central clearing house for 36 small firms and startups, such as Pinterest.

It counts well over 100 other bug bounty programs.

But are they worth it? Swiss-based penetration testing firm High-Tech Bridge has been skeptical. In a blog posted today, a staffer interviewed CEO  Ilia Kolochenko, who said bounties can be an effective tool, if implemented and operated correctly.

The problem is that a bounty can give a green light to attacking a system. “Checking for XSS (cross-site scripting) is harmless and even without a bounty program I would say perfectly legal if used to notify the vendor,” Kolochenko is quoted as saying. “But in checking for something more dangerous, like SQLi (SQL injection) flaws, if the researcher is not skilled enough he could unintentionally delete something or make something unusable by incompetent testing. I am not even speaking about automated tools and scanners that can seriously harm live systems if used blindly. The problem is that quite often crowds of young hackers use a dozen of vulnerability scanners simultaneously to fuzz the victim betting on the quantity rather than quality of security checks.

He adds that “competent researchers are not usually the people who regularly submit bugs to collect the bounties, simply because that is not their motivation. They may do it from time to time for glory or mainly for fun/challenge, but that’s definitely not their core business/hobby.”

The smaller the reward, he also argues, the greater the likelihood that inexperienced hackers will ovewhelm a bounty team.

Here’s an idea he suggests: A job offer for the top researcher of the year. That would not only attract talented people, but also boost the company’s security.

If your company has a bug bounty — or has considered and found it wanting — let us know in the comments section below.


Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web