Hunting for vulnerabilities has come a long way.
During a session entitled “Bug Bounty Programs Evolution” at DefCon 22 in Las Vegas, Nir Valtman, enterprise security architect of NCR Retail, said that the first example of a bug bounty program came in 1995 when Netscape sought to ensure high quality software.
Back then, Netscape offered branded mugs and shirts as rewards; today, companies such as Mozilla offer $10,000 for reporting certain vulnerabilities, according to Valtman.
Some problems include sensitive data leakage, denial-of-service, and taking exploits to underground markets for more money, Valtman said. A lack of transparency with companies can also be frustrating, he added.
Next generation bug bounty programs should find a way to allow penetration tests, but prevent malicious exploitation, Valtman said, adding that programs could broaden to engage attorneys, business analysts and others to uncover a wider range of flaws.
