When the first bugs for cash programs emerged almost two decades ago, they were controversial. Programs like iDefense Labs Vulnerability Contributor Program (VCP) (launched in 2002) and TippingPoint’s Zero Day Initiative (2005) were accused -at the time- of incentivizing the work of criminals and bad actors.
Today, however, bug bounty programs are part and parcel of the software industry. Companies like Microsoft, Google and Apple all offer them, as well as countless other software firms. In recent years, even “old economy” industrial and manufacturing firms like Ford, GM and John Deere got into the act.
Careers Built on Bugs
That has spurred growth in the demand for vulnerability hunters. These days, talented bug hunters and pen testers can make six figure salaries – or higher – on crowdsourced bug bounty marketplaces: finding and reporting flaws in software in accordance with corporate bug bounty programs.
But standing up a bug bounty program is no easy task. Apple, for example, has faced criticism for how it manages its disclosure program, with many vulnerability researchers claiming the company is too slow to address issues they report. For the countless other companies without big budgets and deep roots in the information security community, the logistics of standing up a bounty program and managing the flow of submissions are daunting. For those firms, bug bounty platforms have been a critical bridge to the global community of “white hat” security pros.
In the last decade, such programs have become a staple of countless software security and software assurance programs: crowd sourcing the work of finding and reporting software flaws that leverages the “wisdom of the crowd.”
BugCrowd: Bug Bounty Programs 10 Years On
What does it take to stand up a bounty program? And what skills are in demand on the bug bounty marketplaces today? To answer those questions, we invited Casey John Ellis into the studio. Casey is the founder and Chief Technology Officer at BugCrowd, an online marketplace that helps connect independent bug hunters, pen testers and software security experts with software publishers of every stripe.
In this conversation, Casey and I talk about the founding of Bugcrowd, almost a decade ago, and how the bug bounty market has changed in that time. We also talk about the surge in demand for bug bounty programs by both governments and old economy firms that, suddenly, find themselves in the software business.
Finally, Casey and I talk about what it takes to be a successful bug hunter these days and what skills are most in demand – you may be surprised by what he has to say!