Dive Brief:
- Google's Vulnerability Reward Program had a big year in 2017, handing out $2.9 million in rewards to researchers across 113 countries, according to a company announcement. More than $1 million each was doled out for Google and Android product vulnerabilities.
- One bug finder received $112,500 — the largest reward of the year. Of the 1,230 award recipients, only 274 were paid researchers.
- After seven years of the vulnerability program, Google has now handed out about $12 million in rewards.
Dive Insight:
Bug bounties are an increasingly popular means for a company to find holes and vulnerabilities in IT systems. While a prize of more than $100,000 may make a sweat break out on most CIOs' brows, in reality most bug bounty payouts come in at a few hundred dollars.
A bug bounty price is a bargain for companies that could incur much higher costs as a result of a data breach or hack of system vulnerabilities. No system, no matter how old, is free of vulnerabilities (just ask Intel), and companies can get ahead of the problem with a comprehensive bug bounty program.
When the macOS exploit was made public earlier this year, the researcher who discovered it admitted that they would have made Apple aware of the problem earlier had the company's bug bounty program included macOS.
The Air Force, Army and Pentagon ran bug bounties with HackerOne last year and discovered troves of vulnerabilities — sometimes in the matter of mere minutes and once at the hands of a teenager.