"In some cases, researchers were running up against a brick wall trying to do the right thing," says James Chappell, chief technology officer of UK cybersecurity company Digital Shadows, "a bug bounty programme takes the guesswork out."
Bug bounties are almost as old as the internet itself and can be traced to Netscape in 1995. At Netscape, engineers proposed to executives the "Netscape Bugs Bounty Programme", offering to reward the small army of Netscape fans publicly posting repairs and recommendations to fix problems with its browser.
Loading
But only recently have tech giants started budgeting millions of dollars to pay to be hacked. Facebook received 12,000 submissions from researchers in 2017, paying out $US880,000 ($1.1 million). The company has now paid out a total of $US6.3m to hackers since it started its programme in 2011.
The average reward also increased, growing to $US1,900 from $US1,675. While this is nothing to the company it is no small change to a freelancer, and it can help avoid embarrassing bugs that the in-house team might miss.
Google has also expanded its bug bounty programme significantly. Both Google and Facebook are unusually open about the work of their hacking community, in a world where many data breaches are hastily covered up.
Google has paid out $US12m in rewards to hackers since 2010, paying $US2.7m in 2017. Its biggest reward in 2017 was $US112,500 to someone who exploited its Pixel smartphone. Following the recent Spectre and Meltdown bugs in its chips, Intel too has upped its top rewards to $US250,000.
"Organisations that have good bug bounty programmes have benefited immensely," says Jérôme Segura, lead analyst at MalwareBytes. "But touchy issues remain around the bounty itself - what is considered in scope and the time vendors require before public disclosure."
Loading
The system is not without its flaws, as shown by the Zuckerberg profile hack. Several companies have been criticised for their paltry rewards for major vulnerability finds, others for their slow or non-existent responses. In one case, a white hat hacker published a fake game, called "Watch Paint Dry", on to the front page of video game marketplace Steam after its security team repeatedly ignored his warnings about a flaw.
Apple only launched a bug bounty programme in 2016. But so valuable are bugs in its high-security software, with several secretive private companies offering up to $US1.5m for a high-level attack, that some in the hacking community have suggested that Apple's own payments, which range from $US25,000 to $US200,000 are simply not high enough. Uber has run into issues with its bug bounty after a cyber leak revealed the details of 57m customers. The breach was attributed to a bug bounty hunter, which executives tried to hush up with a $US100,000 payment while hiding the issue from regulators.
It is only in the last five years or so that bug bounties have grown beyond a loose freelance community. An increasing number of well-funded start-ups are focusing solely on the bug bounty market. Start-ups like HackerOne and BugCrowd have raised tens of millions of dollars in venture funding.
It is a small market, but with a handful of start-ups vying to harness the hacker community, it is unlikely to stay that way, according to Mårten Mickos, chief executive of HackerOne. "In the grand scheme of things it is still relatively small," Mickos says. "But given the benefits of hacker-powered security, the market is likely to keep growing. We believe the only way to stop a criminal hacker is with an ethical hacker."
With firms willing to lift payments to get a team of the best hackers to test their systems, there is more money than ever available to bounty hunters. "Data breaches are expensive," says Troy Hunt, a security researcher at Microsoft. "Organisations are simply getting better at realising the actual value of bugs."
Telegraph, London
Morning & Afternoon Newsletter
Delivered Mon–Fri.