Amazon’s BugBust Wants to Make Bug Squishing a Global Contest

For technologists with a talent for finding flaws in code, bug bounties have proven quite lucrative over the past few years. Big tech companies such as Google and Microsoft are willing to pay hundreds of thousands of dollars—and sometimes millions—to anyone who can discover and squish bugs in key systems such as Android and Azure. 

But it’s not just the tech giants: Given the cost advantages of letting the crowd pick at code, more companies of launching bug bounties. Seeking to leverage that growing popularity, Amazon Web Services (AWS) has issued AWS BugBust, a platform designed to help companies launch bug bounties for Java and Python developers (with other programming languages presumably coming). As you might expect, at the heart of BugBust are two Amazon tools: Amazon CodeGuru Reviewer and Amazon CodeGuru Profiler. 

Both of those tools rely on machine learning to automatically scan code for errors. BugBust allows companies to spin up a “BugBust event,” email team members about the event, and maintain a leaderboard of who’s squished the most bugs. AWS is also using the BugBust rollout to announce a “global competition” to squish 1 million Java and Python bugs, complete with prizes such as a t-shirt, a varsity jacket, and a trip to AWS re:Invent 2021

Introduced a few years ago at re:Invent, CodeGuru is yet another developer tool that utilizes machine learning and A.I. to improve the coding process (alongside Deep TabNine, Kite, and others). Over the past year, CodeGuru underwent several improvements, including support for applications written in Java virtual machine (JVM) languages such as Clojure, JRuby, Jython, Groovy, Kotlin, Scala, and (of course) Java. With BugBust, it’s possible that Amazon is trying to weave its tools into companies’ bug-hunting methodology.

While bug bounties are great at discovering bugs in public-facing websites and apps, companies still need cybersecurity experts in order to protect those parts of the tech stack that the public should never access. As of June 1, there were more than 428,000 open cybersecurity positions across the U.S. private sector, according to Cyber Seek, which is a job-tracking database developed by the Department of Commerce and CompTIA, an IT trade group. Some top positions include cybersecurity analyst, cybersecurity consultant, and network engineer

“The demand for cybersecurity job professionals will always be greater than the supply simply because threats continue to evolve and increase in numbers. Up until a few years ago, cybersecurity professionals specialized in a particular field or technology,” Rita Gurevich, founder and CEO of security firm Sphere, recently told Dice. “Today, the role requires a broad range of experience in technology and business to be successful. Evolving threats mean that cybersecurity professionals must also be able to adapt to change frequently. People like this are not easy to find.”

While technologists can perhaps score some nice paydays from bug bounties, adopting more specialized cybersecurity skills can open up a career pathway. The demand for cybersecurity professionals is clearly there.