Is a bug bounty programme right for your company?

Crowdsourced debugging has gone from being a quirky idea used by the small independents – Netscape was an early instigator in the mid-90s – to a mainstream method used by the biggest corporate players, such as Microsoft and PayPal. In addition to software, everything from websites to hardware can be put to the test. Bug bounties incentivise skilled users and hackers to participate in crowdsourced testing programmes.


Image Credit

The bug bounty bonanza

Such programmes have almost become a sport in their own right – in 2015 a BattleHack tournament, backed by PayPal and Twitter, awarded a first prize of $100,000 (over £80,000). Even the US Department of Defense is on the bandwagon – Hack the Pentagon 2016 paid out $71,200 in prizes to successful bug finders, with 138 security flaws confirmed.

Prizes are not always so generous. An advantage of bug bounty programmes to some companies is that they only pay out in proportion to the number of bugs left in their product to be found; therefore, these programmes fit in cheaply as a supplement to their in-house testing team.

Brokerage services

Crowdsourcing in general is resource intensive, meaning that only a few of the largest companies run their own. The majority use software testing services, such as, to act as a broker.

External software testing services also provide a layer of security between the client and the anarchic and unpredictable crowdsourced community. There have been instances when freelance penetration testers have done better than the company anticipated, exposing confidential code and information.

Crowdsourcing advantages

The advantages are numerous – by sheer weight of numbers, crowdsourcing more thoroughly examines software in a multitude of real world contexts, getting it to market much faster. Participants may also use unorthodox methods that would never have been part of a controlled in-house programme.

Crowdsourcing is valuable for functionality testing and conflict discovery in addition to penetration testing; however, it really comes into its own for the latter. Attackers only need a single flaw to compromise an organisation, whilst defenders must anticipate every possible attack route with fewer numbers. Crowdsourcing shifts the weight of numbers back in favour of defence, and bug fixes can be delivered to the customer base within weeks instead of months – as expected by today’s demanding market.


Both comments and pings are currently closed.

Comments are closed.

Powered by WordPress | Designed by: free Drupal themes | Thanks to hostgator coupon and cheap hosting