Bug bounties offer the tantalizing possibility of closing off major vulnerabilities in exchange for a relatively paltry amount of cash. That thinking has led many companies and government agencies—including Tesla, Microsoft, Facebook, and the Department of Defense—to offer cash prizes to anyone who can discover loopholes in their websites.
But do bug bounties actually save companies money? There are real-life hints that the answer is “yes.” Last year, for example, the Department of Defense launched a pilot bug-hunt that uncovered 138 valid reports of vulnerabilities, for which it paid around $150,000 (some $75,000 of that was the actual reward money to hackers who discovered the holes). Then-Secretary of Defense Ash Carter subsequently stated that the work, had it been done by an outside firm, would have cost more than $1 million.
To frame the issue another way: according to Dice’s data, the average security engineer pulled down an annual salary of $107,479 in 2016; security analysts earned an average of $81,819. With enough years of experience, of course, a security researcher or analyst can expect to pull down a healthy six-figure salary, especially in a competitive environment. Add up the combined salaries of a full-time security staff, and that’s a lot of money—certainly more than what a company might pay out if it goes the crowdsourcing route.
But no company or agency can survive on bug hunts alone. For starters, hackers are usually restricted to a few public-facing websites; hacking into databases or sensitive systems is strictly off-limits. So an organization still needs full-time security pros on-staff to deal with those parts of the tech stack that the public absolutely should not access.
Second, bug hunts tend to be limited-duration affairs, whereas full-time tech staff can keep up with evolving threats on an ongoing basis. For companies, security staffers with the proper certifications are also a known quantity, whereas you might not be sure about the background of someone online hunting down your vulnerabilities.
In essence, bug hunts can prove an effective supplement to an existing security staff—not to mention a solid payday for tech professionals who know their way around code. For example, Facebook recently paid Russian security researcher Andrew Leonov around $40,000 for discovering a remote-code execution flaw in ImageMagick, a photo-editing tool. In theory, someone could have used ImageMagick to upload malware to Facebook via compromised images. (That was Facebook’s biggest security-related payout, although it did pay one researcher $35,000 for discovering a vulnerability in 2014.)
At their best, bug bounties work out well for everyone. But they’re not the only solution to an organization’s security needs.