The treatment that is offered is a strategy win-win, since the company locates vulnerabilities, which improves its safety after patching them, and the person that he has located the bug gets a reward. This practice allows companies not having to hire a large number of researchers to search for errors, since external security researchers and hackers will made that work for them.

One of the main objectives of this type of program, is trying to control the buying/selling of vulnerabilities on the black market in some way. Although it is important to comment, which generally offered rewards tend to be well below the prices of those same vulnerabilities in the Deep Web (usually not eligible for a company).

Anyway, there are different types of rewards that do not have to be economic. Then I explain the 3 most common types:

Reward: They don’t want you to show the world your great contribution to the security of their systems, they offer an economical remuneration in Exchange for your total silence or a revelation of the bug in a responsible way (once they have patched it). This money may be to the person that sent the bug or can be donated to the NGO that the person decides. The rewards range from $100 up to even $200,000 in some specific cases, depending on the bug found and the company that is behind the product or service.
Hall Of Fame: The idea here is to put your name on a beautiful virtual wall of your web page indicating and thanking your disinterested help. You become famous overnight in the morning, good or that’s the idea at first.
Swags: You wines with a great deal of merchandising and coupon discount for the products of the company with the intention of getting to soften your heart and do not reveal the bug anywhere until this has been patched. This technique increasingly is gaining more and more followers.
In addition, researchers or hackers showing the company useful ideas for protection against this error, tend to have a special bonus.

When you send a bug to such programs, must be aware that you may not consider it important enough or may even indicate that it is not a bug but that it has been designed in this way and that it is not a risk that compromise your safety, so you will not receive anything.

Report vulnerabilities to companies who do not have the bug bounty, tends to lead to bad answers and legal threats. Personally I consider it a mistake, since it encourages does not return to let know them of any kind of error that have. Currently there are pages such as Bugsheet and Bugcrowd, that help us to know quickly if a company has or not a rewards program.

Finally, I’d like to conclude with two recommendations:

Companies: Any company that has software that is offered out of the inner sphere, should have a rewards program. It may seem counterproductive, because you may think that you are motivated thousands of people to try to break your product in search of a juicy reward, but that will be so you give or not something to the discoverer of those bugs.
Hackers and security researchers: we all know that he gets more money by a 0-day on the black market, but the bug bounty are the best alternative to not deviate from the right path and thus achieve avoid ending up on Alcatraz. In addition, serves to strengthen and improve the ecosystem of software, which is, in the end and after the business of all who are involved in the world of security.
Who warns is not traitorous.

The post Bug bounty, hackers hunting for rewards appeared first on S3lab.