The world of cybersecurity and hacking has changed a lot in recent years, especially the stereotypical image of hackers that was so popular a few decades ago. It is a concept that has evolved rapidly within the IT and cybersecurity industries.
In the early 90s, a trend started to gain momentum: large companies that, far from fearing those who were skilled at creating security breaches, decided to hire them, and put them in charge of their corporate cybersecurity. Because, as you know, if you can’t beat them, join them.
Forerunners of bug bounty
In 1995, Netscape decided to take this trend even further. Right at the moment when its Netscape Navigator 2.0 Beta was flourishing, the company encouraged developers from all over the world to look for security bugs in its browser. This wasn’t some altruistic act, and it wasn’t just for fun. Netscape offered a financial reward to those who found any possible bugs.
This may just seem like an interesting anecdote, but in fact, it set in motion an extremely interesting practice. Because, whether they were conscious of it or not, Netscape had just invented bug bounty, an initiative where companies launch official contests where they encourage skilled IT security experts to look for security bugs in their systems.
Cybersecurity companies and tech giants
It was some years before Netscape encountered another company that was doing the same thing, but in 2002, the idea started to gain traction: iDefense launched its bug bounty program, while the Mozilla Foundation and TippingPoint joined in in the following years. All of them offered a reward of between 400 and 500 dollars cash to anyone who managed to break their corporate cybersecurity via a pen testing exercise, based on attacking different IT environments in order to find and report their weaknesses.
These days, procedures like this are an absolute must for cybersecurity entities like CanSecWest, but also for all kinds of tech giants, such as Google, (who paid almost 3 million dollars in rewards in 2017), Facebook, Dropbox, Tesla, or even Microsoft. The rewards have also gone up: currently a programmer who is able to break through security breaches and find these bugs can even earn up to 500,000 dollars.
Things have reached such a level that, as well as specific companies’ projects, there are pioneering global initiatives that are working on this kind of project. The most famous of these is HackerOne, the platform that analyzes possible security breaches in large companies like Airbnb, GitHub, General Motors, Nintendo, and even public bodies such as the US Department of Defense.
A headhunting exercise
For many of these companies and the people who take part in their challenges, the financial reward is, in reality, almost the least important thing. The fact is that very often, bug bounty events can serve as a perfect talent pool for this type of company to bring on board the best undiscovered cybersecurity experts. The salary of a new job can be a rather more attractive reward than a cash prize.
What’s more, for many tech companies, these contests, far from showing them up as companies with weak cybersecurity, mean a real boost for their publicity and marketing, especially when it comes to opening up to the hacking community and encouraging a culture of responsible cybersecurity.
One key factor shouldn’t be forgotten: bug bounty isn’t based on a malevolent philosophy, or on the desire to bring down a company’s cybersecurity. Quite the contrary: the basic premise is to find bugs, report them, and collectively contribute to the IT security of the companies that hold these events.
The popularization of bug bounty is doubtless the clearest proof of the fact that many businesses’ mentalities have shifted: whereas it used to be the case that those who reported these bugs were met with legal threats, now, their active, prudent, and ethical search for this type of problem is rewarded. Whatever it takes to fight, all together, for the future of corporate cybersecurity.