Bug bounty programs are initiated by developers and vendors with the aim to reward or compensate individuals who can find and report bugs, exploits and/or vulnerabilities within their software, systems, applications or websites.
Such programs are often carried out by companies in the effort to improve their cybersecurity measures and prevent threat actors from leveraging the bugs and vulnerabilities to breach their systems. As such, “bounties” or rewards, are typically paid out as part of the organisation’s vulnerability test and management to those who are able to find these often-missed bugs or vulnerabilities.
Companies can hire a specific security firm to carry out the “bug hunting” or launch a program that is open for cybersecurity experts, ethical hackers and other professionals in the field. These programs allow the IT teams or developers to be aware of the possible bugs or vulnerabilities in their websites or software before cybercriminals beat them to it. It is a way for businesses and developers to take a proactive and predictive approach to cybersecurity because often, unnoticed and unknown errors within systems could lead to bigger problems later on – zero-day attacks, for example.
Organisations may assign particular rewards depending on the degree of the bugs or vulnerabilities discovered by the ethical hackers that participate in their bug bounty programs.