It might surprise you to find out that companies like Microsoft, Apple, and Google actually hold contests and give rewards to people who discover exploits with their existing software. Google has a very active bug bounty program in place for its Chromium project. Development done on Chromium eventually feeds into the Chrome browser released directly by Google. Because Chromium is where you can find the latest tools and newest code, it’s also the platform on which Google would much rather have exploits discovered. An exploit in the wild on Chrome would be substantially more difficult to manage.
Simply put, if you find a new exploit with its Chrome browser, it may result in a pretty nice payday for you. To take this a step further, Google is hosting a challenge at Hack in the Box in Malaysia this fall called Pwnium 2. It’s the second such challenge offering rewards up to $60,000 for individuals who uncover exploits with its Chrome platform.
Through these programs, white hats (hackers who typically report exploits rather than take advantage of them) can make a fair living chipping away at big platforms like Facebook, Mozilla’s software, and Microsoft Windows. Facebook’s bounty program offers a minimum reward of $500 with larger prizes being offered for particularly severe exploits.
Why Do Companies Do This?
These programs sound pretty bold on the surface. Why would any sensible corporation want to encourage people to find exploits in its software? There are several reasons that corporations do this.
Imagine how much you would have to pay to have a team on staff spending its entire day attempting to exploit your software. Chances are, a single individual may run out of ideas well before the majority of the exploits would be found. By offering sizable rewards to outside researchers to uncover exploits in your system, you essentially expand your research team’s size from a dozen to thousands with a minimal investment. Every hacker out there has their own preferred bag of tricks and background. In order to truly secure your software, you need to be covered from virtually every angle.
Rewards May Deter Active Exploiting
This may sound terribly selfish, but I’m always more inclined to return things I find if I discover there is a reward being offered. If I were a less ethical technology user, I might be inclined to use an exploit without reporting it if no reward were being offered. By having a reward, these moral decisions become a little easier.
The Best Hackers Aren’t Free
Even in the world of white hats, money talks. A research group has its own expenses to deal with, and getting these talented individuals involved with debugging your software won’t happen unless you’re willing to make the hunt for exploits worth their time.
For a major corporation to take its software to hacker conventions (like Black Hat) and issue a bounty on exploits, it sends a strong message to the user that this corporation must really believe in its software. For the hacker, it translates to an easy payday while doing some good for the software developer.
What do you think of bug bounties like these? Do you see them as a helpful tool for software developers? Leave a comment below and let us know.
Image: Chromium Logo