Bug bounties once were restricted mainly to large software companies such as Mozilla and Google. But the success of these programs has led many other infrastructure and product companies, including Yahoo, Facebook, Barracuda, PayPal and even Microsoft, to launch their own reward systems. Now, the phenomenon has spread to individual developers.
Looking at the list of vendors involved in bug bounties, it would seem that the barrier to entry is relatively high. Those are all well-heeled companies with rather large bankrolls, so handing out a few thousand or even tens of thousands of dollars to security researchers isn’t a huge deal for them. The rewards for these companies have turned out to be well worth the investment, as they’re getting highly skilled researchers poring over their code without having to pay them salaries and benefits.
But what would the returns be for an individual developer with a small project or application who doesn’t have a lot of money to invest in a bounty program? The answer wasn’t clear, but Ian Dunn decided to find out.
Dunn, a WordPress developer, wrote a plugin a few months ago that was designed to modify the workflow of a another plugin that deals with two-factor authentication logins. Not being a security expert, Dunn knew that he wanted some help looking for potential vulnerabilities in the plugin, so he decided to offer a reward to anyone who found a bug and let him know about it privately.
“Given the nature of it, I knew that any potential bugs could have significant security implications, so I did my best to test it thoroughly. I’m not a security expert, though, so I still worried that there might be some esoteric vulnerability I had missed,” Dunn said voa email.
“So, I wrote a post on my blog offering a security bounty for anyone who found a vulnerability and disclosed it to me privately. That actually worked — a colleague of mine found a bug and I released a patch — but it’s obviously not an ideal solution, since it only reaches a few people in my circle.”
Dunn wanted to expand the reach of his reward offer, but he knew he didn’t quite have the visibility and influence of Google or Microsoft. So when he came across the HackerOne bug bounty platform, he thought it was a good fit. Hacker One provides a way for researchers to report vulnerabilities privately and collect rewards from participating vendors, which include Yahoo, OKCupid, CloudFlare and OpenSSL. The rewards vary by vendor, with minimum bounties ranging from a couple of hundred dollars to several thousand. Dunn set his minimum at $25.
“When I heard about HackerOne, it sounded like the perfect solution. They’ve got a deep pool of researchers who are motivated to find vulnerabilities and disclose them responsibly, and they offer a great set of tools to manage the entire process,” he said. “I hope to get more eyes on my code, so that any security bugs that slip in can be caught, and also so I can learn from any mistakes I make.”
Although Dunn is a small fish among some rather large sharks in the bug bounty sea, he already has closed two bugs on HackerOne since he joined last week. He said that he’s hopeful other individual developers will follow his lead and offer incentives to researchers.
“Definitely. Security is still something that the development community isn’t doing a good enough job at, and I think HackerOne can make a huge impact by giving developers access to audits,” Dunn said.