Bug Bounty Hunters, And How Their Love For Bugs Is Saving The Web

Just like any other human creations, software has flaws. The question that follows is: who is going to find them first?

A bug bounty program is a deal offered by many websites, organizations and software developers by which people can receive recognition and compensation for reporting software vulnerabilities, especially those pertaining to security exploits.

Bug bounty programs are plenty. They allow developers of the software to resolve the bug before the general pubic is aware of them, while also preventing incidents of widespread abuse.

And those that hunt for the bugs, are called 'bug bounty hunters'.

They can be anyone. But most of the time, they are cybersecurity experts, programmers or developers. Bounty hunting is also a popular career among white hat hackers.

In general, bounty hunters have the knowledge and experience in things like: SQL Injection, Cross-Site Scripting (XSS), Server Side Request Forgery (SSRF), Local and Remote file inclusion, Information Disclosure, Remote Code execution (RCE)

To these people, finding bugs can be fun. It's a more or less like playing detectives, sneaking past security features and sniffing through codes.

Bug bounty hunting

Finding Mistakes In Other People's Work For The Money And Recognition

Bounty hunting is like hacking. But instead of causing damage or stealing data, bounty hunters are 'bounty hunters', as they seek rewards for every bug they find.

It's a different way of approaching computer security, but one that is proving increasingly popular.

It's like hacking, but doing the right thing.

To a number of bug bounty hunters, the money they earn is more than enough for a decent living.

According to HackerOne, which organized events for hackers and organizes bug bounties for big businesses and government agencies, a number of hackers have earned more than $1 million each in rewards for spotting vulnerabilities. A little more have earned $500,000 in lifetime earnings, and even more have earned $100,000 each.

But to others, bounty hunting is only like an extra pocket money. And to the rest, earning reward from bug bounties is not a priority, and is only a motivator of something that is priceless.

If the bug bounty hunter is fond of programming and hacking, the hobby of finding mistakes in other people's work is already a thrill on its own.

Hacking is often seen as a shady and mysterious practice. But is means more than just a "hack".

The term "white hat" for example, is an internet slang that refers to an ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies that ensures the security of an organization's information systems.

Many bounty hunters are ethical hackers.

They are a contrast to "black hat" hackers, who are known to be malicious hackers that mostly work without authorization and with malicious intent.

And here, bug bounty programs have been around for a long time.

Browser pioneer Netscape was known to have launched the first bug bounty program back in 1995. This was followed by Mozilla a few years later.

After Netscape and Mozilla, many other big tech companies followed.

Knowing that by offering bug bounty programs, tech companies can entice third-parties into helping them in a way that it's much cheaper than hiring a dedicated team or a contractor, bug bounty programs have become more and more common.

But before that, companies should ensure that their internal development processes can encourage secure coding rather than adding security in as an afterthought, or hoping that some hackers can fix the problem later.

Taking into account the additional developer time, the cost of the bug bounty program and the cost of any potential security breaches in the interim, companies should also make sure that the code is secure before it is published is always going to be much cheaper than fixing it later.

bug squash

Looking For Flaws Inside Codes

The very first time humans were able to store a computer software inside a storage, was back in June 1948, at the University of Manchester, on the Manchester Baby computer. It was written by Tom Kilburn, and was able to calculate the highest factor of the integer 218 = 262,144.

It was a simple piece of software with nothing beyond its original intention.

But gone are those days.

In the modern days of the internet, computer programs can be as small as a few kilobytes, to as large an megabytes, gigabytes, to terabytes and beyond. And with the increase in size, the more line of code is used. And because of that, more flaws can be present.

Part of the reason why software can have flaws, is because of the way they were written.

Sometimes, the developers are in a hurry. This can happen when the developers were in a pressure of meeting a deadline. Software can also have bugs because of the many people that were involved in creating it. Even in a team, different people can have different experiences, skills and priorities. Putting their heads together into finishing a project, is one of the main ingredients of a software bug.

There is also chances that bugs are created because of external dependencies of a software.

In other cases, software can have bugs after having different elements and features added into it. The code that was secure at one point may develop problems at a later time because of this.

Computer code

Software Will Always Have Bugs, Inherited By Humans

The more complex a software becomes, the higher the chance that it will have bugs.

And as long as there are still bugs in software, there will be security bugs present, and somebody will find them sooner or later. And that somebody, is either the good side, or the bad side.

As long humans write codes, there will be flaws. And whenever there are flaws, there are going to be errors.

And before humans can create the perfect AI bot to replace programmers, bug bounties as a concept are here to stay for the foreseeable future.

Bug bounties here, are a good way for companies to get an outsiders' look into what they have, by offering something in return if ever they can find vulnerabilities inside the system.

It's a win-win situation. Companies only pay when a bug is found, and hunters are paid as long as they can find a bug.