Browse Definitions:
Definition

bug bounty program

Contributor(s): Matthew Haughn

A bug bounty program, also called a vulnerability rewards program (VRP), is a crowdsourcing initiative that rewards individuals for discovering and reporting software bugs. Bug bounty programs are often initiated to supplement internal code audits and penetration tests as part of an organization's vulnerability management strategy.

Many software vendors and websites run bug bounty programs, paying out cash rewards to software security researchers and white hat hackers who report software vulnerabilities that have the potential to be exploited. Bug reports must document enough information for for the organization offering the bounty to be able to reproduce the vulnerability. Typically, payment amounts are commensurate with the size of the organization, the difficulty in hacking the system and how much impact on users a bug might have.

Mozilla paid out a $3,000 flat rate bounty for bugs that fit its criteria, while Facebook has given out as much as $20,000 for a single bug report. Google paid Chrome operating system bug reporters a combined $700,000 in 2012 and Microsoft paid UK researcher James Forshaw $100,000 for an attack vulnerability in Windows 8.1.  In 2016, Apple announced rewards that max out at $200,000 for a flaw in the iOS secure boot firmware components and up to $50,000 for execution of arbitrary code with kernel privileges or unauthorized iCloud access.

While the use of ethical hackers to find bugs can be very effective, such programs can also be controversial. To limit potential risk, some organizations are offering closed bug bounty programs that require an invitation. Apple, for example, has limited bug bounty participation to few dozen researchers.

This was last updated in July 2017 ???publishDate.suggestedBy???

Continue Reading About bug bounty program

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCompliance

  • risk map (risk heat map)

    A risk map, also known as a risk heat map, is a data visualization tool for communicating specific risks an organization faces. A...

  • internal audit (IA)

    An internal audit (IA) is an organizational initiative to monitor and analyze its own business operations in order to determine ...

  • pure risk (absolute risk)

    Pure risk, also called absolute risk, is a category of threat that is beyond human control and has only one possible outcome if ...

SearchCloudProvider

  • cloud ecosystem

    A cloud ecosystem is a complex system of interdependent components that all work together to enable cloud services.

  • cloud services

    Cloud services is an umbrella term that may refer to a variety of resources provided over the internet, or to professional ...

  • uncloud (de-cloud)

    The term uncloud describes the action or process of removing applications and data from a cloud computing platform.

SearchSecurity

  • cyberextortion

    Cyberextortion is a crime involving an attack or threat of an attack coupled with a demand for money or some other response in ...

  • Cybercrime

    Cybercrime is any criminal activity that involves a computer, networked device or a network.

  • National Security Agency (NSA)

    The National Security Agency is the official U.S. cryptologic organization of the United States Intelligence Community under the ...

SearchHealthIT

  • Practice Fusion

    Practice Fusion Inc. is a San Francisco-based company that developed a free electronic health record (EHR) system available to ...

  • RHIA (Registered Health Information Administrator)

    An RHIA, or registered health information administrator, is a certified professional who oversees the creation and use of patient...

  • 21st Century Cures Act

    The 21st Century Cures Act is a wide-ranging healthcare bill that funds medical research and development, medical device ...

SearchDisasterRecovery

SearchStorage

  • Random Access Memory (RAM)

    Random Access Memory (RAM) is the hardware in a computing device where the operating system (OS), application programs and data ...

  • floating gate transistor (FGT)

    A floating gate transistor (FGT) is a complementary metal-oxide semiconductor (CMOS) technology capable of holding an electrical ...

  • bad block

    A bad block is an area of storage media that is no longer reliable for storing and retrieving data because it has been physically...

SearchSolidStateStorage

  • hybrid hard disk drive (HDD)

    A hybrid hard disk drive is an electromechanical spinning hard disk that contains some amount of NAND Flash memory.

Close