Bounty Programs

What is a bounty program ?

A bounty program is an official scheme offered by multiple companies for disclosure of general bugs or security holes and vulnerabilities. In return, the individual security researchers can receive recognition or monetary or physical rewards. Such programs are offered by some of the biggest names in the software business including Google, Facebook, Microsoft, Yahoo!, Reddit and many more.

How did it all began ?

Bounty programs began with the widespread use of the Internet and the software to go with it. The first known bug bounty program started in Netscape, where a technical support Engineer named Jarrett Ridlinghafer noticed the almost fanatic following that Netscape had as a browser - as software engineers themselves, Netscape's users started finding bugs and security holes in their beloved browser and posted workarounds or fixes in online forums. Ridlinghafer decided that the company can well benefit from the efforts of its fans and at a next meeting with the comapny's executives he put up a draft for 'Netscape Bugs Bounty Program' up for discussion. Eventually, the plan was almost unanimously agreed upon and the world's first bounty program has been born. Needless to say that it was a huge success hence the big number of bounty programs today.

Why bug bounties are such a big hit ?

It all comes down to the fact that bounty programs present a win-win situation for both sides. For companies, the goal is to have (relatively) bug free software for the least amount of money. Sure, you can hire a number of security professionals, but that will substantially increase the cost. On the other hand, by running a bug bounty program you let each individual security researcher have a go at your software and only if they find anything - you give them a reward. From the researchers' perspective, it is also beneficial because these programs are essentially a chance to gain real-life experience. Dummy apps like bWAPP are fine, but having your knowledge tested against real world applications is totally on another level. Plus, the change of earning something extra or bragging that you prevented Facebook from being hacked is always there.

Facebook giving away T-shirts and debit cards to security researchers

Bug bounty programs and Secapps

The question is what all this has to do with Secapps? Well, surely we offer you an extensive suite of web applications for security testing, but up to know we have not done much in terms of giving you guidelines as to where to use these tools. Well, this is about to change - from now on, you can get up-to-date information about bug bounty programs at secapps.com/bounties.

What is it ?

Secapps's bounty list offers you information about more than 400 bug disclosure programs in a systematic, easy-to-use way. In addition to showing you the owner of the program and a link to the disclosure page, it gives you information on if the program is hosted on their own website or it uses a third-party one, if it gives rewards on successful submission of a bug, lists you in their own 'Hall of Fame' of security researchers who have managed to find vulnerabilities or have their own way of giving credit.

What is to come ?

What we want to offer you, however, is much more than information and fascilities. In addition, we aim to give you a good starting point. For this purpose, we will be gradually adding lists of Targets and Fiddles to each program. Targets will display the allowed subdomains that are included in the program and are safe to test without getting into any trouble. Fiddles will contain links to Fiddles created with the apps in our online suite with the aim of giving you a quick insight into the target's webspace and hopefully get you started quickly. These will be created by our team, but submissions are welcomed as well.

Conclusion

Bug bounty programs leave everyone better off - Researchers more experienced and rewarded for their services, Companies with better, more secure software and everyone else with applications that are safer to use. We hope with this latest addition to our services to boost the interest in individual security research and help bridge the gap between the two parties.