Skip to main content
  1. Home
  2. Computing
  3. Features

Who's keeping your data safe? With bug bounties, it's would-be hackers

Add as a preferred source on Google

Companies need all the help they can get to stay one step ahead of the next big security vulnerability, and sometimes that means relying on outside forces.

Bug bounties elicit security help and advice from independent hackers and security researchers usually in exchange for a cash reward. The hacker scours the site, discloses the vulnerability to the company, it gets patched, and the hacker pockets some money. Bug bounty programs have been around for a long time. But in recent years, they’ve become much more common.

Recommended Videos

Facebook has paid out millions in rewards to bug hunters over the years. Earlier this year, Anand Prakash, a security engineer from India, discovered and disclosed a major bug that would have allowed him to potentially access any account. He found that it was possible to make an infinite number of PIN attempts upon resetting an account if you’re using beta.facebook.com, the developer site for new features not yet rolled out to the masses.

“In-house testing does not compare with using the crowd, via bug bounties, in terms of effectiveness.”

“I was able to view messages, his credit/debit cards stored under payment section, personal photos and more,” he said. The discovery (which was promptly fixed) netted him $15,000, and there’s no evidence that the vulnerability was ever used by malicious attackers.

The bug itself is quite simple, but had severe implications, and somehow went undetected by Facebook’s own teams. After all, security pros are still only human, and a second opinion can make a huge difference. Which is why we’ve seen a bloom in bug bounty programs from major players like Facebook, as well as platforms to connect hackers with companies, like HackerOne and Bugcrowd.

Who’s hunting bugs?

Neal Poole, a security engineer at Facebook, took part in several bounty programs before eventually joining the social network and continues to hunt for vulnerabilities. He believes bug bounties make the Internet safer for everyone.

“The people participating in our program represent a huge pool of security talent. In a number of cases these are people who we wouldn’t be able to hire full time even if we tried,” Poole told Digital Trends. “They enjoy using their talents to make Facebook and the people using it safer. A bug bounty program provides us with a way of compensating those people for their time, effort, and skills.”

Social networks like Facebook aren’t alone in running programs. Shutterstock used to have an internal rewards program for staff to spot and submit bugs, but it has since sought help elsewhere.

“With time, we moved beyond the internal bug bounty system and have a profile up on hackerone.com that invites private researchers to find bugs in our system, and we will pay them out for it,” said Sandeep Chouksey, Shutterstock’s VP of engineering.

Some of Bugcrowd's programs
Some of Bugcrowd’s programs Image used with permission by copyright holder

Casey Ellis, CEO of Bugcrowd, says opening up a bug bounty on a site like Bugcrowd creates a go-between for the company and the researcher that can “speak both hacker and business.”

“Fundamentally what we’re doing is taking these two groups of people, who don’t really have a good history of understanding each other, or getting along, to be able to transact and exchange value,” he said.

“Simply put, in-house testing does not compare with using the crowd, via bug bounties, in terms of effectiveness,” added Alex Holetec, CEO of Hackable.io, a platform running programs for IoT companies.

Simply put, in-house testing does not compare with using the crowd.

Leveraging the crowd brings with it a diverse array of backgrounds and skill sets that are keeping a constant eye on the company’s security, while full-time staff can focus their attention on other matters.

“My engineers’ time and effort is better spent working on code quality, helping developers become better, more security minded developers in the long run. Operating the bug bounty allows us to leverage that outside community and get a near-constant stream of researchers prodding and poking at the system and reporting vulnerabilities,” said Shawn Davenport, VP of security at GitHub, which now pays up to $10,000. He continued on to say the continuous testing provided by bug bounties has proven more economical than an annual third-party assessment conducted by a security firm.

In recent weeks, Uber has joined the bug bounty bandwagon, and even the U.S. government is on board with its first security disclosure program at the Department of Defense.

But bug bounties aren’t a silver bullet for the bugs that in-house teams miss. Threats are always evolving, and bug bounty programs are inherently reactive.

“Although bug bounty programs will always be necessary, they ask cybersecurity experts to find issues after the fact and often times can result in new issues or rehash patched errors,” said Todd Inskeep of Booz Allen Hamilton and who sits on the RSA conference advisory board. “If cybersecurity experts and business leaders spend time designing/threat modeling for a more secure product upfront, we can save time and money in the long run, and reduce risk.”

When hackers go too far

Like everything in security, nothing is straight forward with bug bounties, either. Researchers and hackers still face criticism for their tinkering. Last year Wesley Wineberg, a security contractor with Synack, came to blows with Facebook over a significant Instagram bug.

Wineberg, who has claimed thousands in bug bounties in the past, found an exposed Amazon server run by Instagram that allowed him to run his own code. He was able to crack employee passwords and even download some non-user data. As he wrote at the time, “To say that I had gained access to basically all of Instagram’s secret key material would probably be a fair statement.”

instagram on phone
Tul Chalothonrangsee

The flaw was accessible for up to a month, claimed Wineberg, who carried out his research in stages while corresponding with Instagram. But the Facebook-owned company would eventually accuse him of going too far, and criticized him for writing about it online.

Facebook CSO Alex Stamos went to the CEO of Synack with concerns that Wineberg had “acted unethically,” and risked setting a precedent for ex-filtrating unnecessary amounts of data that goes beyond appropriate research.

The case highlighted the difficult balance that tech companies can face with security researchers. They want help with security flaws, but still want to maintain a certain level of control over disclosure, and how far hackers can go.

Last year, Oracle’s chief security officer Mary Ann Davidson courted controversy from the security community with a now-deleted blog post that excoriated hackers, researchers, and regular customers for overstepping their bounds, fiddling with products that aren’t their own, breaking license agreements, and infringing on intellectual property.

“Bug bounties are the new boy band,” she wrote. “Many companies are screaming, fainting, and throwing underwear at security researchers [sic] to find problems in their code.” She added that security researchers only find about three percent of bugs, and the vast bulk is discovered by companies’ in-house teams.

Bug bounties are the new boy band.

In a climate where many of the biggest players, from Facebook to Google, run generous programs, her attitude was not well received, but many still agree that there needs to be a balance met between the two sides.

“The company should retain a right to defend itself and say what’s ok and what’s not,” said Bugcrowd’s Ellis, though lines of communication between both sides need to stay open.

“That’s when you need someone who speaks both languages. You’ll have the hacker who thinks they’re right and thinks that they’ve played by the rules and they got information that’s important and should be listened to. Then you’ve got a company that quite frankly feels threatened by the whole thing, and is doing what it needs to do to defend itself.”

The bounty board is here to stay

Bug bounty programs are becoming more common, not just as a means for companies to solicit external help, but also to keep the conversation around security flowing. And the trend seems to be accelerating. In March, Google doubled its reward for the top bug in the Chrome program from $50,000 to $100,000, showing that the company is eager to find bugs and will pay dearly for their discovery.

“All in all what it comes to is that the internet is horribly vulnerable and it’s been horribly vulnerable for a long time,” Ellis told us. “The fact that people can think like bad guys but don’t want to be bad guys, and are willing to help is one of the most powerful forces that we have available to us.”

That, we think, rings true. It can be argued that bug bounties result in a lazy, reactive approach to coding — but programmers who lack attention to detail won’t magically become perfect if bug bounties disappear. While bounties should be used alongside other security practices, rather than relied on exclusively, they harness the talents of freelance coders who might otherwise be tempted to use their knowledge solely in their own self-interest.

Jonathan Keane
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
Microsoft wants Windows 11 and your phone to become best friends
Microsoft's latest plans reportedly focus on making the PC and smartphone experience feel seamless.
Windows 11 PC with Android Phone

For years, Phone Link has felt like that one app everyone knows exists but rarely remembers to open. Microsoft apparently wants to change that. According to a report from Windows Central, the company is working on a major overhaul of how smartphones integrate with Windows 11, making phones feel like a native part of the operating system instead of something users access through a separate app.

Phone Link is coming out of hiding

Read more
What are Copilot+ PCs? Everything you need to know
Copilot

Walk through a laptop aisle in 2026 and the Copilot+ PC branding is highlight for most Windows laptops. From Microsoft's own surface to other PC makers like Samsung, HP, and Dell, you can find notebooks that carry this badge to convey that they are AI-ready. At a glance, the name sounds like it refers to a computer with a better version of the Copilot chatbot, which only explains a small part of it.

A Copilot+ PC is a Windows 11 computer that meets Microsoft’s hardware standard for advanced on-device AI features like a compatible processor with a dedicated NPU. You also need a certain amount of RAM and storage, all of which brings access to Windows features such as Recall, Click to Do, and much more. Many of these experiences use the NPU to process information locally, reducing their reliance on cloud servers and helping them run more efficiently in the background.

Read more
ASUS expands its ProArt lineup with a compact keyboard and a smart creator mouse
The new ProArt KD300 and MD301 are designed to make life easier for designers, editors, and creators.
ASUS ProArt Keyboard KD300 and ProArt Mouse MD301

Creators have long had plenty of powerful laptops and monitors to choose from. Keyboards and mice? Not so much. ASUS is looking to change that with the expansion of its ProArt accessory lineup. Leading the announcement is the new ProArt Keyboard KD300, a compact low-profile keyboard that's designed to work alongside the ProArt Mouse MD301, giving creators a matching desktop setup built specifically for productivity instead of gaming.

A compact keyboard that doesn't sacrifice functionality

Read more