The Benefits of Bug Bounty Programs
The web is exploding—more people are using it to do more, in more varied ways, than at any point in its short history.
The phone is a perfect example of the rise of digital life. Since its invention at the end of the 20th century, it's expanded from a minor technical elite to over sixty percent of the world's population – more than five billion people are slated to have phones by the end of 2019. Our tiny pocket computers have conquered the world in under 30 years. Like the Big Bang, phone usage hasn't exploded so much as expanded at a stupendous rate, inflating to encompass the majority of the world's population. From the landline void came the spark of a mobile, unbounded future, and almost as quickly as the idea was conceived, it was realized.
The following chart from the UN's 2015 study on its progress towards the Millennium Goals captures the extent to which phone ownership grew to encompass nearly everyone in the world just through the early 2010s:
As a result of that expansion in internet access and a parallel increase in the web's complexity, more people are able to get online easily and are capable of doing more once they're there. Shopping, banking, socializing – an increasing part of our lives is lived online. And thanks to the data analysis of wunderkind artificial neural networks (algorithms designed to replicate the mathematical model of the human brain and its astounding success at pattern-recognition), trends point to more data collection. Neural nets are complicated to write but easy enough to use – as long as you feed them enough information. Our devices know more about us than ever and they're learning more every day.
This graph shows how much data is being created (or is estimated to be created) every minute over the next couple of years. The y-x axis on the following graph is measured in zettabytes (ZB): 1 ZB = 1 billion terabytes (TB). The numbers are staggering:
More applications performing more complex services for more people and managing more data leads to things breaking. The demand for web developers has soared as companies try to realize their technical aspirations, but supply has not kept up with the almost unlimited appetite for development work. Coding bootcamps, online courses, and other alternatives to a four-year degree have become a popular entry point for a career in software engineering, but there's still a large gap between what the programming companies want done versus the programmers who are available and capable of doing it. As demands on developer time and attention have increased, security concerns once avoided as costly and nonessential have ballooned into crises for inattentive businesses, as vulnerabilities have led to data breaches, commercial exploitation, identity theft, and even espionage by state actors and criminal syndicates.
Bug bounties are the crowdsourced alternative to an expensive, in-house security apparatus. Technology companies (from mega corps to small, five-person start-ups) have embraced using public bug bounty programs to find the sort of faulty logic and mishandled data-processing in their applications that hackers typically use as footholds for larger campaigns. By finding vulnerabilities before they become exploits, companies can pay for work that directly reduces their exposure without having to cover the cost of a full security audit. Some companies choose to participate in third-party platforms, such as Bugcrowd or HackerOne, in order to standardize their payouts, submission report formatting, rules of engagement, and target lists, while others are large enough to run a program under their own umbrella.
Either way, by participating as a researcher, you get paid to apply your skills. And since many bug bounty marketplaces also track things such as the number of bugs you've found, their severity, and your general success rate, doing third-party research on public platforms can also be a great bridge to more work in security. If you're coming from a non-traditional background or don't have formal education in security, it could help make the case you've got the necessary skills to be productive in the field. You can do all of this while – by responsibly following the discovery and disclosure process – making the target application, and the general web, safer.