In recent times, bounty programs have come to limelight. If you are not aware what a bounty program is, here is a simple definition. Large platforms like Google, Facebook and Paypal float an open invitation to ethical white-hat hackers and researchers to find a security hole or a bugs in their system for a cash reward for each big found. Hackers and researchers across the world try to penetrate the system in hope of finding a security hole / bugs in these platforms.
Recently, Facebook’s bounty program was talked across the globe as they declined to pay an unemployed IT researcher Khalil Shreateh for revealing a flaw on the social network. On the other hand, here is also an example where Facebook awarded USD 12,500 bounty to Indian researcher Arul Kumar for finding a bug!
Now, large companies like Facebook and Google can float a bounty program given their reach, size and strength, however, it is very difficult for other companies to have such a program. Bugs4Bounty resolves this by creating bounty programs for companies and crowdsourcing them to security researcher communities!
We spoke to Rohit Srivastwa, founder of Bugs4Bounty to know more details:
Can you tell us what is bugs4Bounty?
Bugs4bounty is a program which companies run to award people who find bug in their system that can be threat to either the security of the website of privacy of the users of the website.
Bugs4Bounty is an official platform which will help companies to run bounty program and security researchers to submit the bugs to the companies
What was your reason behind launching this, especially when biggies like Google, Facebook, Paypal and others have their own programs for white-hat hackers?
Google, Facebook, Paypal, AT&T and almost all other giants have a bug bounty program because they can afford to run such a program. Apart from top level biggies, rest everyone has a need for a service who can offer them similar level of security and expert eyes because running a bug bounty program is not an easy task and will consume and lot of their time & energy.
Bugs4Bounty is such a service to all others who want to gain from the power of security researchers and still don’t have time, direction or process in this direction.
Do you want to be a marketplace for smaller vendors who can run bounty programs
Exactly. Bugs4Bounty will serve as an escrow platform for companies of almost any level.
Can you elaborate on how it helps hackers as well as the organizations?
For Bug Hunters (hackers) it’s an easy method of legally test websites and get rewarded for the same. For organization, they are opening up to skill set of real world researchers who do this day-in & day-out.
How is it different than run of the mill penetration testing services available?
When you opt for a penetration testing service, you basically hire brain of 5/10/20 researchers and all your issues found limits to the knowledge level of these people. But when you open for a bugbounty program, you invite a huge number of researchers to play with your system.
Additionally, there is a chance (I’m not blaming anyone, but still there is a chance) that pentesting company may hide few details from you to have future gains. Such possibility doesn’t not exist in a competition because everyone want to submit as much as possible to increase their chance of winning.
6) Do you plan on launching a completely online program where organizations can participate. According to your site currently, companies need to get in touch with and then all the process happens offline. Don’t you think that is counter-productive?
As of now we are not planning for a complete online platform where company can login & start the bounty program. Although counter-productive but there are reasons behind the same.
Firstly, leaving the Gs & the Fs, other companies are still scared of getting into this line and need a conversation which clears their doubts.
Secondly, once the company has dealt with an outsourced partner the level of trust increases and they can, in future, drive it on their own. To start with, they still need to get into the deal and finalize the bounty distribution mechanism.
Once the concept is well accepted, we’ll have a complete automated online process too for the same.
Will you open the bugbounty to all the hunters? Will that not compromise the security of company?
It depends on company. If you think you are strong enough to open publicly, we’d advise to do so to increase the eyeballs. If not then company may choose a number of hunters for whom the bounty will open
Then how will you limit the bugbounty to a particular set of people? How will you manage it?
If a bounty is open for a limited set of people, we’ll publicize it ONLY to our registered & verified bug hunters. People who want to participate in closed bounties are requested to join via the website.
As a company if I want to know who all are participating in my closed bounty, how can I do that?
Our registered bug hunters are verified personally by our team and if the need arises we can have a one-to-one discussions too. These are real people in the real world who do not believe in doing test using automated tools only. They prefer using the real brains
Can you give us any details on the pricing structure that you will be offering?
Pricing is decided by the company who wants to run a bounty program. We do not force a price.
For a same category bug Goolge pays around USD 1000, Facebook pays USD 500 where as any other company can pay even USD 100. It’s on the company to decide the amount they want to spend on this. We do suggest the right amount but final decision is of the company.
Having said that, I’d like to remind an old saying. If you pay peanuts, you get monkeys :)
How will the payments be made to bounty seekers?
Bug Hunters will get their reward via bugs4bounty.com. We as an escrow service will arrange for the complete transaction of bugs as well as the reward.