When you think of a hacker, it’s likely you picture a villainous mastermind sitting in a dark basement, decked out in a black hoodie and the glow of their monitor as they try to steal precious data. But what if we were to tell you the hacker isn’t always the antagonist, and in bug bounty programs, hackers are actually the heroes? Meet bug bounty programs— programs that aim to reduce breaches over time by compensating “ethical hackers,” or non-affiliated security researchers, to spot holes in a company’s security infrastructure.
The benefits of bug bounty programs aren’t limited to companies ethical hackers—you can gain a lot from them, too. When you create a website for your business, picking a website provider with a bug bounty program can give you the peace of mind that your chosen platform continually enhances their security.
In this article, we’ll go over what bug bounty programs are, dive into their history, plus highlight how they benefit businesses big and small.
Tip: Security experts manage the security for every website built on Wix—from threat prevention to real-time detection and rapid response. Learn more about how Wix website security can give you the peace of mind you need to run your business.
What are bug bounty programs?
Bug bounty programs are a way for companies to find and fix cybersecurity bugs. Companies will offer compensation to ethical hackers who reveal vulnerabilities in their systems.
Bug bounty platform HackerOne recently found that 53% of organizations have lost customers over a security breach. Bug bounty programs can prevent these breaches from happening in the first place.
History of bug bounty programs
Netscape introduced the first bug bounty program in October 1995. The company offered rewards to users who helped find bugs in the Netscape Navigator 2.0 beta software. Those who discovered significant security bugs won a cash prize. Netscape also rewarded those who found less concerning bugs with Netscape merchandise and items from the Netscape General Store.
Since then, many websites, software developers and large organizations have run their own bug bounty programs. For example, iMozilla Firefox introduced their own bug bounty program in 2004—a program that still runs today. And Dragos Ruiu was so frustrated with how Apple handled security, that he launched the Pwn2Own hacking contest in 2007. At first, hackers received a laptop as their reward, but the competition has grown over the years. In 2022, the contest doled out a record amount of $800,000 to hackers.
In their 2021 bug bounty program recap, Github touched on the most interesting submitted bug. Researcher yvvdwf found a vulnerability with the GitHub Enterprise Server, pertaining to GitHub Pages’ option to personalize sites with different configuration options. GitHub didn’t properly restrict the user-controlled options, so an attacker could potentially read information on the Enterprise Server. Yvvdwf helped resolve the vulnerability and increased the product’s security.
Recently, HackerOne compiled a list of the 10 most commonly discovered security vulnerabilities, and cross-site scripting (XSS) took the top spot. In an XSS attack, a hacker injects client-side scripts into a website. As a result, they can impersonate another user, steal confidential information, deface websites and much more.
Bug bounty programs
Wix’s Bug Bounty program is managed on the HackerOne platform and invites website security researchers to submit a vulnerability report with relevant details to firstname.lastname@example.org. Various issues or vulnerabilities include XSS attacks, SQL injection vulnerabilities, an unsecured API and more.
“Our bug bounty program has been running for over four years, and some researchers have been working with it since its earliest days,” says Ifat Kooperli, who leads the vulnerability management domain in the Wix Application Security team, in an interview with HackerOne. “Researchers are integral to our application security because they have a deep understanding of our platform. The findings they submit are incredibly valuable to us because they can identify exactly what causes a problem, and our team can then focus on how it should be solved.”
“By examining our researchers’ findings, we learn about our weak spots—both in specific features and laterally—when we see the same issue repeatedly across the platform,” said Kooperli. “When we see the same vulnerability repeatedly, we examine the root cause and find out how it can be mitigated across the platform.”
Learn more about how your web hosting platform affects your security.
Cloud collaboration service Airtable works with those who find a security issue in their services that they should know about. Like many other prominent bug bounty programs, they work with HackerOne to take submissions.
The company has paid out more than $80,000 in bounties, with most averaging to be $100. They also offer more for discovering more pressing bugs–$500 to $5,000 is the top bounty range.
To qualify for Snapchat’s bug bounty program, the researcher has to be the first person to report the specific vulnerability. A full description and report have to be submitted, including outlined steps on how to reproduce the glitch.
The minimum reward is $250. You can get as much as $35,000, but Snapchat only gives out that amount for catching bugs that affect server-side remote code execution. As of July 2022, Snapchat has rewarded bounties adding up to $491,667.
HackerOne manages the Secure@Sony program, Sony’s bug bounty program. You can check out the ethical hackers and submitted bugs on the program’s Hall of Thanks. Those that find viable bugs receive a “Secure@Sony Finder” T-shirt in return.
Uber also posts their bug bounty program guidelines on HackerOne. Uber rewards high-quality reports that lead to resolution with a minimum bounty of $500. The company aims to pay these rewards within 14 days of accepting the submission.
The benefits of bug bounty programs for companies
When you first hear about a bug bounty program, it might seem improbable: Why would large companies and organizations invite researchers to find these security flaws? However, these programs come with a slew of benefits for corporations.
Reduces vulnerabilities of attack
As Hack_EDU explains, bug bounty programs often identify vulnerabilities before they can be used in attacks. These programs incentivize white hat hackers to proactively find flaws that ill-intentioned forces could exploit. Also, it gives in-house developers the chance to learn from the bugs that outside researchers found.
Tip: Every vulnerability found in Wix’s bug bounty program is documented in its internal systems and analyzed for severity, type, and amount to help improve the company’s security posture through data-based decisions.
Bug bounty programs provide the opportunity for companies and organizations to discover talented researchers. If an ethical hacker submits a well-documented report that leads to a major security issue being fixed, it’ll likely catch the security team’s attention. Organizations and companies can then collaborate with these researchers on similar cybersecurity projects, or even hire them to work in-house. This might not be advantageous for a serial bug hunter though, who might make more money with a day job and finding one-off bugs that they collect bounty for.
Tip: Wix employs over a thousand developers, dozens of ethical hackers, plus a well-connected (and unlimited) group of Bug Bounty researchers and a triage team that look for vulnerabilities in the platform at all times.
Understandably, organizations would prefer to catch bugs before a hacker exploits them. Spending financial resources on a bounty for a bug will often be more cost effective than dealing with a cyberattack that stems from a security flaw. Additionally, companies only give out rewards if someone finds a bug. Rather than pay researchers hourly to look for potential bugs, these organizations pay when researchers discover and correctly report a critical issue.
Simulate attacks, practice, prepare and pre-empt
These bug hunters look for the chinks in the armor of websites’ infrastructure without actually going in for the damage. Companies simulate a cybersecurity attack, but it won’t be to a large-scale effect that would cause major problems and take massive bandwidth to fix. When hunters submit reports, organizations can reproduce the bug for practice. Furthermore, running practice cybersecurity checks with in-house engineers can only do so much–sometimes it takes an outside perspective to see bugs.
Tip: Every Wix site has built-in enterprise-grade protection and 24/7 security monitoring, so users can stay focused on growing their online presence.
The benefits of bug bounty programs for ethical hackers
Companies and organizations can gain a lot from bug bounty programs, but ethical hackers and researchers also benefit from these programs.
First, ethical hackers can treat bug bounty programs as a chance to test their skills at finding security flaws in companies’ cybersecurity infrastructure. Since companies openly invite hackers to search for these bugs, ethical hackers can legally test their abilities against large companies and even some government agencies.
Additionally, some ethical hackers view these programs as a way to make some supplemental income, almost like a freelance opportunity. Recent research from Intigriti found that 66% of ethical hackers surveyed are considering bug bounty hunting as a full-time career and that 96% would like to spend more time participating in these programs. Bug hunting offers enticing flexibility: you get to be your own boss and can work almost anywhere. However, experts want potential full-time bug hunters to consider a few points before taking the plunge.
Community may be a benefit for bug bounty hunters. Security researchers share information on online forums and platforms like HackerOne facilitate collaboration.
“It’s also important to keep researchers engaged and aware that you value their work,” says Kooperli of Wix. “Open communication on the HackerOne platform and other channels, sending branded swag, and other gestures can help your company build a relationship with your researchers.”
The future of bug bounty programs
As cybersecurity basics continue to evolve, so will bug bounty programs. New tools and products for those looking to host a website will mean that there will be new vulnerabilities for bug hunters to discover. Some bug bounty programs want to incentivize researchers with non-monetary rewards for certain reports. Other programs, such as Meta’s, are launching educational opportunities for researchers.
By Rebecca Tomasis
Organic Growth Expert