To most people working cybersecurity, hackers represent a constant source of concern, as they probe the defenses of companies with the intent of gaining access to private files or data. In the hope of instead benefiting from the talents of these hackers, organizations are increasingly offering bounties for bugs, with cash rewards for those who identify and report flaws in code which could potentially be exploited.
Mark Litchfield is one such ethical hacker, who has made $1.5 million from these bug bounties, while almost entering the field accidentally. Speaking of his introduction to these bounty programs, Litchfield says “I submitted a bug to Yahoo and thought that was the end of it. And then I got this email saying, ‘Hey, we’ve got some money for you. Do you want it?'” These bug programs were one of the ways Yahoo looked to increase their security after suffering major breaches in 2013 and 2014, allowing ethical hackers like Litchfield a route by which they could benefit from their efforts to probe systems and code.
Says Ian Glover, head of the Crest organization in the United Kingdom, of these bug bounty programs, “The money side of it is not as much of a motivation as you might imagine. It’s more about trying to solve the challenges, getting into the industry and getting recognition by your peers.”
A bounty program, however, shouldn’t be seen as a first line of defense, but instead a supplement to a robust cybersecurity program. Notes Glover, “Bounties should be the end of the process, not the beginning.”
Source: