How do software companies find dangerous bugs in their code? Ideally, their own QA departments discover them before it’s released. Sometimes they find out only when customers have problems. That might mean after there’s been a breach. But sometimes they hear about bugs from freelancers who find them in return for a reward. These people are called bug bounty hunters.

Some companies find it worthwhile to offer payment for bug reports. Learning about security holes before anyone can exploit them can save the company’s reputation, which is worth a lot of money. Recently¬†Google paid $112,500 to a researcher¬†for discovering a flaw that could have let a website push arbitrary code into an Android device. Having to deal with it after criminals found out could have been far more expensive.

The Mind of the Bounty Hunter

Bug hunting makes up half or more of some people’s income. They spend hours every day looking for flaws in websites. How different are they, really, from those who do the same thing and use their discoveries to steal information? Sometimes the same person plays both sides of the fence, depending on which one is paying better.

It’s the challenge, perhaps even more than the money, which motivates them. Anyone with those skills could get a well-paying job in QA. But they’d rather be on their own, chasing down bugs without reporting to a boss. Their attitude is, “So you think I can’t break this code? I’ll show you!”

The Benefit to Users

A bounty may encourage hackers to stay within the law. It can even motivate them to work harder at what they like to do. It’s easier to explain their income when it comes from Google rather than the Shadow Brokers, and there’s less chance of blackmail afterward. When they report bugs, the software publisher can fix them before anyone is harmed.

Software bounty hunters are a strange breed, there’s no question. But they do all of us some good.

Need to learn more about IT security? Take a look at POWERUp18 security sessions.

Leave a Reply

Your email address will not be published. Required fields are marked *