Google pays out USD 6.5 million to hackers, thus increasing the level of IT security enormously. Successful bug bounty programs are expensive, but security incidents are more expensive! A sum of 6.5 million USD attracts attention. But google understood early on what it means to lose your data. For modern business models and companies the handling of security vulnerabilities should be regulated. There are enough good and bad examples!
Reporting security vulnerabilities before bug bounties
In the early 200s it was common practice for many security researchers to publish their found vulnerabilities directly on the Internet. This had many disadvantages – both for the companies that were directly vulnerable to attack and for the security researchers. They attracted the wrath of many companies with their behavior and became involved in long legal disputes, which rarely ended well for them. Some of these publications still take place today and can be found on the full disclosure mailing list.
The principle of Responsible Disclosure developed from these problems. Here, security researchers report the gaps they have found to the companies. However, they were given a deadline by when the security gap should be closed. The security researchers then publish them. This also often led to problems, as companies did not close the gaps but rather tried to hide them. But this changed in the middle of the 2010s with the introduction of Google’s Bug Bountys.
Reporting security breaches today
Nowadays there are many companies and service providers that offer bug bounty programs. One of the biggest programs is run by Google. A bug bounty is a kind of bounty, which a company offers for security holes. This motivates security researchers to investigate companies for security vulnerabilities and to cooperate with them.
Companies often use service providers such as HackerOne, Bugcrowd or YesWeHack to run a bug bounty program. But some large companies like Google also operate these services themselves. Google pays 6.5 million USD to hackers who participated in your bug bounty.
The bounties paid vary widely between 100 USD and 31,337 USD. If several security vulnerabilities are discovered and can be used together, the amount increases. The highest amount was paid to the security researcher Guang Gong, who managed to take over the Pixel 3 smartphone completely from a distance due to several chained security holes. He received 201.337 USD for this.
Google’s Bug Bountys as a role model?
Nowadays bug bounty programs are no longer a rarity. Nevertheless, there are many companies that do not take advantage of this opportunity to improve their IT security. Many professional IT security experts spend their spare time participating in bug bounty programs.
Our team of pentesters regularly participates in bug bounty programs and thus improves their knowledge and skills in this area. To ensure that as many people as possible can benefit from this, it is recommended that companies of all sizes name detailed contacts for reporting security vulnerabilities online.
This post is also available in: Deutsch (German)