Most major technology companies have bug bounty programs, where independent researchers compete against the company to find security exploits or vulnerabilities. If a bug is found, confirmed, and patched, the researcher is eligible for monetary compensation. Would a similar model work for compliance programs?
With bug bounties, independent researchers — sometimes called ethical hackers — are the typical participants.
Here’s how it works.
A researcher applies their hacking talents, trying to find an exploit in a system, a login page on a social media site, for example. If they find a legitimate flaw, they report it directly to the company before it becomes public and can be exploited by bad actors, either inside or outside the company.
The ethical researcher submits a report to the company, with full documentation and step by step repeatability instructions. The company security team then reviews the claims’ validity and, if necessary, makes the improvements needed to patch the hole and compensate the researcher.
Typical compensation for bug bounty programs starts around $500 but can increase significantly depending on the security gap’s severity. Google pays up to $31,337 for reports on certain types of bugs on web services, and up to $1 million for Android exploits.
Apple introduced a program in 2019, offering rewards that range from $5,000 to over $1 million for discoveries of major operating system security flaws.
In 2016, the U.S. Department of Defense started a bug bounty program. Within the first 24 days of the program, the DOD resolved more than 138 unique vulnerabilities and paid tens of thousands of dollars to 58 hackers.
Why are bug bounty programs important?
A company’s reputation can be crushed in a single incident, and repairing it can be a long and arduous process. The 2016 hack of 500-million Yahoo accounts, the 2017 Equifax data breach, and the 2018 Facebook and Cambridge Analytica data scandal are a few examples.
Internal security teams — like compliance teams — are always working hard to protect the company, but there will always be ways to beat the system. Technology systems across all industries are continually changing, and with new systems come new exploits.
With bug bounty programs, the world’s largest and most sophisticated companies invite civilians to try and beat them, and often the civilians win. Google has paid out over $21 million in bug bounty rewards over the last ten years.
Instead of only seeing the negatives of inviting people to find chinks in the armor, the world’s leading companies take a position of humility with bug bounty programs and acknowledge that there are always faults to be found.
Companies with effective bug bounty programs are seen in security communities as more respected, more responsive to threats, and more concerned with user safety.
Finding breach points before they can be exploited also reduces the risk of regulatory action taken against a company. Equifax paid over $575 million to the Federal Trade Commission for its breach that a House Oversight Committee called “entirely preventable.”
Like data security, corruption prosecutions can produce a damaged reputation, large penalties, and strictly mandated changes to compliance programs.
Could the bug bounty system work for compliance departments? Throw open the gates for independent review, and reward any enterprising compliance “bug hunter” who finds a way to make a compliance program better?
Maybe bug bounties are coming soon to a compliance program near you.