Bug bounty program

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security vulnerabilities. If no financial reward is offered, it is called a vulnerability disclosure program.

These programs, which can be considered a form of crowdsourced penetration testing, grant permission for unaffiliated individuals—called bug bounty hunters, white hats or ethical hackers—to find and report vulnerabilities. If the developers discover and patch bugs before the general public is aware of them, cyberattacks that might have exploited are no longer possible.

Participants in bug bounty programs come from a variety of countries, and although a primary motivation is monetary reward, there are a variety of other motivations for participating. Hackers could earn much more money for selling undisclosed zero-day vulnerabilities to brokers, spyware companies, or government agencies instead of the software vendor. If they search for vulnerabilities outside the scope of bug bounty programs, they might find themselves facing legal threats under cybercrime laws. The scale of bug bounty programs increased dramatically in the late 2010s.

Some large companies and organizations run and operate their own bug bounty programs, including Microsoft, Facebook, Google, Mozilla, the European Union, and the United States federal government. Other companies offer bug bounties via platforms such as HackerOne.

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.