Is Bug Bounty Worth The Hype?

This article discusses the pros and cons of bug bounty programs and how they can be useful for organizations.

Andrew Kedi
3 min readJan 27, 2023
Photo by OX blog

Bug bounty programs are becoming increasingly popular with companies as they provide an extra layer of protection to their operating systems and projects. In the last year alone, hackerone, an elite organization that runs bug bounty programs, has amassed nine individual hackers who have earned a sizeable sum of money via bug bounty hunting. As such, the total bounty earnings for these hackers amount to tens of millions of dollars — some even reaching six-figure sums. Not only is the money attractive, but it’s also a great opportunity for amateur hackers — often teenagers — to gain experience and start earning money in the security sector. As a result, finding bugs can be lucrative and companies pay out sizable sums when bugs are reported.

A bug bounty program is a means of bug bounty hunting, which offers recognition and compensation to security researchers who are eligible to report bugs, security exploits and vulnerabilities in an organization’s code base. Companies delineate the scope of the bounty program and offer rewards for the successful identification of security issues.

Bug bounty programs are a way for companies to crowdsource the discovery of software vulnerabilities. They’re attractive to many ethical researchers because they reward them for discovering critical bugs that could make hackers money. Note that security experts don’t just make money from bug bounties — they need soft and hard skills, such as being able to look at an application from an attacker’s perspective, as well as being good observers. It takes time and effort to find these bugs and collect their rewards, which can range in tens of thousands of dollars depending on the number and severity of the vulnerabilities found. Furthermore, it also pays to be an expert in finding medium and low vulnerabilities since even those fetch a hefty sum compared to other jobs. All in all, bug bounty programs are worth the hype as they provide a great opportunity for bug hunters or bounty hunters to not only put their technical skills into practice but also earn some decent money while doing so.

Gerhard Wagner, a security researcher, and hacker, won the largest bounties in bug bounty programs which have helped to boost the popularity of these programs. The programs give organizations the chance to solicit help from experienced and skilled security researchers or white hat hackers in identifying and reporting vulnerabilities. This helps organizations save much money as they don’t have to hire specialized personnel on a full-time basis.

A security researcher can expect recognition and compensation for reporting bugs, exploits or vulnerabilities. They also get rewarded for writing codes and scripts to test for any kind of technical errors that can lead to compromising an organization’s security. The reward depends on the severity level of the issue found. Therefore, bug bounty programs have become popular in recent years as organizations have started to offer rewards for finding technical errors in their code base which can cause serious security issues if not identified on time.

Bug bounties have also become popular because of their ability to crowdsource testing and security assessments, allowing organizations to access a wider range of quality testers and researchers from around the world. The work itself is varied and interesting, as testers can hack cool things, do usability research, secure applications, lead bug bounties, etc.

Let me know when you have any opinions in the comments section.

Have fun!

--

--

Andrew Kedi

Msc. Information security, certified Linux Administrator(LPIC-1), CISSP, Passionate with cyber security and bug bounty.