Hello everyone and welcome to ZD Tech, the daily ZDNet editorial podcast. My name is Louis Adam and today I will explain to you what bug bounty programs are and why companies are willing to pay huge sums of money to those who manage to hack them.
In most cases, hacking a business can get you in trouble. Unless you have his blessing!
What is a bug bounty?
This is more or less the principle of “bug bounty” programs, “bug prime” in French. The objective of these programs is to reward security researchers external to the company who report bugs or vulnerabilities to it, thus allowing it to correct them.
Originally, the bug bounty aims to solve a problem encountered by security researchers and companies: when a researcher discovers a vulnerability in software, for example in an operating system like Windows, the right thing to do would be to communicate it to Microsoft in order to correct it.
Simplify the process
But this is not obvious. First of all, you have to find the right person to contact. Then, make sure that the latter fully understands the scope of the vulnerability. Then you have to wait until the company is able to produce a corrective, preferably effective, and disseminate it to its customers. And for their trouble, the researchers behind the discovery may consider that they deserve a reward, which will have to be negotiated with the company in question.
But we discover vulnerabilities every day and in all types of products!
So, to simplify this sometimes tedious process, the practice of bug bounty began to democratize in the early 2010s. external researchers. Companies like HackerOne, or in France YesWeHack, specialize on the subject and offer companies to provide them with this type of “turnkey” program.
For companies, having a bug bounty has significant advantages: for example, they can precisely define the programs and services covered, and the amounts that will be paid to researchers. Above all, this allows them to ensure that the vulnerability remains confidential while a patch is developed.
For researchers, this makes it easier to make contact and get a reward, allowing them to spend less time on these steps and focus on finding vulnerabilities.
This is a first step, but it is not a panacea: companies can choose to favor certain bugs or certain products over others, which makes the programs more or less attractive. They can also drag their feet to come up with a patch or pay a researcher at a minimum price.
But for this kind of loophole, the competition is stiff. Thus, Apple will pay up to $ 1 million for a major vulnerability in its iOS mobile operating system. But zero-day loopholes promise double …