Malicious hackers do what they do for a few reasons. One, of course, is the financial gain that comes from defrauding consumers or selling data on black markets. Another is recognition – bragging rights for evading complex safeguards and outwitting security pros. There is also the personal sense of achievement. Many hackers admit that “I just want to see if I can do it” is something that drives them in their exploits.
For those who try to live honestly and abide by the law, it can be hard to understand a willingness to commit cyber crimes. However, the incentives of monetary compensation, status and personal achievement are just as compelling to those on the right side of the law. And they can be used to help protect your organization’s data when they’re offered to the white-hat hacking community.
Companies in the private sector have recognized this, and have started offering bug bounty programs that provide financial rewards and various forms of recognition for finding and reporting vulnerabilities. Such programs date all the way back to 1996, when Netscape Communications launched a program asking its enthusiastic user base to find bug fixes in exchange for rewards.
In recent years, the concept has seen a surge in popularity among major tech companies like Google and Facebook, as well as smaller operations looking to mitigate risk for their web-enabled products. Some corporations outside of tech, such as United Financial Holdings, have also recognized the potential for crowdsourcing vulnerability research and established their own initiatives. The site bugcrowd.com maintains an active list of firms that currently offer such programs, along with a summary of rewards on offer.
The bug bounty program concept has even found its way into the U.S. Department of Defense with an invitation to “hack the Pentagon.” Adapting the bug bounty model to the government’s heightened security considerations, the agency will invite hackers who have passed a background check to access public-facing networks and report on vulnerabilities they find.
Hoping its pilot program will help them move more quickly to address cyber security risks, the Pentagon expects that other government agencies will follow suit and begin offering their own bug bounties.
If your organization has a strong foundation for cyber-risk management, bug bounty programs may be a smart solution that can help you act quickly to shut down vulnerabilities. In addition to regular penetration testing, centralized monitoring and intelligence tools, they might give you the edge you need in the fight against black-hat hackers.
Are you working to establish a proactive cyber security program? Lunarline has a full suite of cyber security services, products and training to get you where you need to be. Learn more by at Lunarline.com, or contact us today.