What are bug bounty programs?
Bug bounty programs are a way for companies to find and fix cybersecurity bugs. Companies will offer compensation to ethical hackers who reveal vulnerabilities in their systems.
Bug bounty platform HackerOne recently found that 53% of organizations have lost customers over a security breach. Bug bounty programs can prevent these breaches from happening in the first place.
History of bug bounty programs
Netscape introduced the first bug bounty program in October 1995. The company offered rewards to users who helped find bugs in the Netscape Navigator 2.0 beta software. Those who discovered significant security bugs won a cash prize. Netscape also rewarded those who found less concerning bugs with Netscape merchandise and items from the Netscape General Store.
Since then, many websites, software developers and large organizations have run their own bug bounty programs. For example, iMozilla Firefox introduced their own bug bounty program in 2004—a program that still runs today. And Dragos Ruiu was so frustrated with how Apple handled security, that he launched the Pwn2Own hacking contest in 2007. At first, hackers received a laptop as their reward, but the competition has grown over the years. In 2022, the contest doled out a record amount of $800,000 to hackers.
In their 2021 bug bounty program recap, Github touched on the most interesting submitted bug. Researcher yvvdwf found a vulnerability with the GitHub Enterprise Server, pertaining to GitHub Pages’ option to personalize sites with different configuration options. GitHub didn’t properly restrict the user-controlled options, so an attacker could potentially read information on the Enterprise Server. Yvvdwf helped resolve the vulnerability and increased the product’s security.
Recently, HackerOne compiled a list of the 10 most commonly discovered security vulnerabilities, and cross-site scripting (XSS) took the top spot. In an XSS attack, a hacker injects client-side scripts into a website. As a result, they can impersonate another user, steal confidential information, deface websites and much more.
No comments:
Post a Comment