How are organisations using ‘bug bounties’ to find flaws?

By Tinesh Indrarajah

Lessons from government and cutting-edge companies.

It’s a classic story. A hacker finds a bug, exploits it, and ends up working for the company to stop others doing the same. A new method of plugging cyber flaws institutionalises that model.


Bug bounty competitions let hackers deliberately try to bring down systems, with rewards given for reporting any weaknesses they find.


Here are the different ways that government and the private sector run them:

1.US DoD


 The United States Department of Defense (DoD) launched its first bug bounty programme in April. ‘Hack the Pentagon’ invited vetted hackers to break into government systems and test the US’s cyber security. Participants are rewarded financially for finding major flaws in the government.


Hack the Pentagon was the first ever commercial bug bounty programme by the US Government. While the government uses its own security experts to test its systems, it hoped that fresh eyes would help spot more weaknesses.


1,410 people participated in the programme from 18 April to 12 May, submitting 1,189 reports of bugs. A total of US$71,200 was paid as bounties to the winners.


Participants had to be American citizens and go through background checks.

2. Facebook


Facebook has been running a bug bounty programme since 2011. It has so far made over US$4.3 million in payouts to researchers.


In February this year it paid nearly US$15,000 to a security researcher who found a major flaw that unlocks any user’s account. Its bug bounty programme has also helped it spot flaws in new services soon after they are launched.


For instance, Facebook got 15 reports within minutes of launching messenger.com, and was able to plug a site-wide flaw.


The company can also apply specific findings from bug bounty submissions to its entire source code and check for system-wide flaws.


“We're receiving more reports about inconsistencies in our business logic, which give us the ability to eradicate entire classes of vulnerabilities all at once,“ Facebook security engineer Reginaldo Silva wrote in a post.


The company receives thousands of submissions a year. These are investigated by the internal team to find the high-impact flaws which could have more serious consequences.


Last year it found 526 valid reports out of 13,233 submissions.

3. Uber


 Uber announced its first bug bounty program in March 2016. It has set out clearer rewards for hackers who report flaws in its systems.


For example, finding a potential leak of personally identifiable data could earn up to US$10,000. Revealing bugs that could deface the homepage or expose email addresses could earn up to US$5,000.


Uber has gone a step further than older bug bounty programs run by Facebook, Google and Microsoft, however. It introduced a loyalty program to entice successful hackers to continue improving Uber’s cybersecurity.


It created a “Treasure Map” that directs hackers to sites with the highest potential for bugs, making bug hunting more efficient for white hackers.