EXECUTIVE SUMMARY:

After disclosures about internet vulnerabilities in a 1998 congressional hearing, formal
bug bounty programs came onto the scene. In case you’re unfamiliar, the concept is
similar to that of a scavenger hunt. First person to find the treasure wins.
Across North America, bug bounty programs have seen a 37% increase in use since
2018, highlighting their soaring popularity.

One reason that persuades companies to choose bug bounty programs over other forms
of security testing is that these competitions tap into a wide pool of hackers, allowing for
more varied and thorough bug searches.

Roughly 25% of bugs found are classified as critical to high in severity, reflecting the
significance of bug hunting sorties. And hackers can earn great monetary rewards, with
one ethical hacking firm offering a total of $19 million in 2018, although a hacker with
merely average skills is unlikely to earn all that much through bug bounty programs.

The competitive spirit of bug bounty programs offers a thrill and produces actionable
results, but industry experts also recommend allotting portions of big bounty sums to
security itself. This past winter, backlash ensued over the EU’s decision to award $1
million in prize money to hackers rather than using it to enhance existing architecture.

When bugs are reported, system maintenance personnel are diverted from their priorities,
and must suddenly focus on the bug, limiting resources for overall structural
improvements.

You’re better off focusing on how to build security into your system, rather than trying to
“bolt it on,” almost as though it’s an afterthought.

For more on this story, check out Forbes.