the history of bug bounty programs
DESCRIPTION
A presentation going through the exciting timeline of bug bounty programs.TRANSCRIPT
The History of bug bounty programs
www.crowdcurity.com
CrowdCurity
Intro and timeline
Bug bounty programs are becoming an increasingly popular method of finding security bugs on the internet. Google, Facebook and Paypal are just some of the companies who now run such programs. But when and how did the idea for this cost-‐effecAve, crowdsourced security tesAng model arise? In this presentaAon, We look a liFle deeper into the interesAng history of bug bounty programs.
CrowdCurity
On October 10th, 1995, Netscape launched the very first bug bounty program, which offered cash rewards to those who were able to find security bugs in their Netscape Navigator 2.0 Beta. MaF Horner, Netscape’s Vice President of markeAng, explained at the Ame: “By rewarding users for quickly idenAfying and reporAng bugs back to us, this program will encourage an extensive, open review of Netscape Navigator 2.0 and will help us to conAnue to create products of the highest quality.” Netscape’s first-‐mover mentality was impressive, but the idea did not catch on with other soWware vendors. The company’s bug bounty program conAnued unAl the final release of Netscape Navigator 2.0 where the winners were announced.
CrowdCurity
As Netscape’s bug bounty methodology did not catch on to other vendors, the security company IDefense, who were later bought by Verisign, began an iniAaAve in 2002. Their vulnerability contributor program offered researchers cash rewards of up to $400 for reporAng vulnerabiliAes in soWware to them. IDefense would then act as a middleman between the researcher and the soWware vendors.
CrowdCurity
In the summer of 2004, nine years aWer the Netscape bug bounty, the Mozilla foundaAon launched a bug bounty program offering rewards of $500 for researchers able to idenAfy criAcal vulnerabiliAes in Firefox. The program was sponsored by entrepreneur (and space tourist) Mark ShuFleworth and the Linux distributor Linspire. The Mozilla bug bounty program is sAll going strong today, expanded to cover most of Mozilla’s products.
CrowdCurity
In 2005, IDefense compeAtor TippingPoint launched another “middleman” program, called the Zero Day IniAaAve (ZDI). Just like IDefense, TippingPoint connected the security community with the vendors, by offering cash rewards for reports on vulnerabiliAes. The ZDI is sAll running, now by HewleF-‐Packard, who acquired TippingPoint’s parent company 3Com in 2010. David Endler, who has worked for both IDefense and TippingPoint and been a prime mover behind both of their programs, has wriFen a nice blog post, “Remembering five years of vulnerability markets,” describing the period from 2002 to the launch of ZDI.
CrowdCurity
Three weeks before 2007 CanSecWest conference, Dragos Ruiu announced the PWN2OWN contest, a hunt for security bugs in Macs OSX. This was Ruiu’s way of showing frustraAon with the way Apple handled security and disclosure. The contest was held within a limited Ame frame, with the prize iniAally announced as a laptop, but later upgraded to $10,000 reward provided by ZDI. PWN2OWN was a great success and has become a recurring event at CanSecWest. In 2014, $850,000 was paid out in rewards to skilled researchers.
CrowdCurity
In 2010, the vulnerability reward program for Google web properAes really kickstarted the trend towards bug bounty programs for web applicaAons. Earlier the same year, Google had launched a similar program for the open-‐source Chromium project, with good success. Google’s reward program, that openly invited researchers worldwide to test their site on a conAnuous basis, was similar to the one Mozilla launched in 2004. In general a lot happened on the bug bounty scene in 2010: Mozilla decided to expand their program to web applicaAons, Baracuda networks launched a bug bounty, and Deutsche Post, the German federal postal service, launched a bug bounty on their secure messaging service
CrowdCurity
Facebook followed in the footsteps of Google and launched their whitehat program in 2011. Facebook announced they would pay out minimum rewards of $500, with no upper limit. The Facebook whitehat program is sAll running today, and more than $2M has been paid out in rewards, including $1.5M in 2013 alone.
CrowdCurity
Online businesses of all sizes, today feature ongoing bug bounty programs on their web applicaAons. Even MicrosoW now runs a bug bounty offering $100,000 in rewards for the discovery of criAcal vulnerabiliAes. Reward sizes have increased with the popularity and legiAmacy of these programs: Google’s rewards, for instance, are five Ames greater today than in 2010. But the story of bug bounAes is sAll in its early chapters. Last year, MicrosoW and Facebook joined forces to sponsor the Internet Bug Bounty, a program dedicated finding vulnerabiliAes in frameworks, such as Ruby on Rails or Django. Another growing trend is the popularity of bug bounty marketplaces such as our own (CrowdCurity). These marketplaces offer an online businesses the opportunity to easily start and manage their own bug bounty program, and leverage the power of the security community.
www.crowdcurity.com