If you’re interested in making money from bug hunts, Google may have made things a little easier for you, at least when it comes to vulnerabilities in the company’s platforms (including Google, Android, Chrome, and Play). Ten years after it launched its original Vulnerability Rewards Program (VRP), Google has unveiled Bug Hunters, a website designed to consolidate all company-related crowdsourced bug-hunting in one place.
Google claims that, over the past decade, bug hunters have discovered 11,055 vulnerabilities, translating into $29.3 million in payouts. That’s significant, especially if you’re one of those technologists who’s earned quite a bit over the years via bug hunts.
In a new blog posting, Google is touting some features of its Bug Hunters website, including a leaderboard, educational content (via “Bug Hunter University”), and “a bit of healthy competition through gamification, per-country leaderboards, awards/badges for certain bugs and more.” In addition, Google isn’t just paying technologists for discovering vulnerabilities; it will also reward “patches to open-source software” and “research papers on the security of open source.”
This latest Google move is reminiscent in some ways of AWS BugBust, a platform just launched as part of Amazon Web Services (AWS). BugBust is designed for companies that want to launch bug bounties for Java and Python developers; it leans heavily on two Amazon tools, Amazon CodeGuru Reviewer and Amazon CodeGuru Profiler. In this case, it’s clear that Amazon is trying to get more technologists to embrace its tech as part of the bug-squishing process.
While a crowd is often great at finding vulnerabilities in websites and apps, companies still need cybersecurity experts in order to protect those parts of the tech stack that the public should never access. As of June 1, there were more than 428,000 open cybersecurity positions across the U.S. private sector, according to Cyber Seek, which is a job-tracking database developed by the Department of Commerce and CompTIA, an IT trade group. Top positions include cybersecurity analyst, cybersecurity consultant, and network engineer.
“The demand for cybersecurity job professionals will always be greater than the supply simply because threats continue to evolve and increase in numbers. Up until a few years ago, cybersecurity professionals specialized in a particular field or technology,” Rita Gurevich, founder and CEO of security firm Sphere, recently told Dice. “Today, the role requires a broad range of experience in technology and business to be successful. Evolving threats mean that cybersecurity professionals must also be able to adapt to change frequently. People like this are not easy to find.”