pixel_dreams - Fotolia
In November 2010, Barracuda Networks Inc., based in Campbell, Calif., became one of the first companies to run a security bug bounty program. Given the critical role that secure software plays in the world, it's no wonder that an IT security and networking company would pay people to identify potential vulnerabilities -- to find and fix them, and to provide an open communications channel for security researchers and, yes, even hackers.
The Barracuda Networks Security Bug Bounty Program initially received a handful of reports every quarter. By 2012, Barracuda Labs had hired full-time employees to respond to researchers, distribute awards and work with product teams. Since that time, many other companies have tried bug bounties, and third parties have emerged to help manage the process. The results have been positive, with some research pointing to cost savings for outsourced programs, but challenges remain.
In the case of Barracuda, while the company originally committed a security team to working full time on its bounty program, in December 2014 it decided to move it to the Bugcrowd platform. Founded in 2012, Bugcrowd is a San-Francisco-based third-party provider of bug bounty and penetration testing services. The Barracuda bounty program, run by Bugcrowd, currently offers $50 to $3,133 per qualifying bug.
The company's executives cited Bugcrowd's potential to increase its access to vulnerability researchers from 500 to more than 13,000 in the crowdsourcer's community. Other companies have followed a similar path. In February, Bugcrowd reported that it had 220 active bounties, 33,150 security vulnerability submissions and 14,300 researchers participating in its crowdsourced security program.
Strength in numbers
John Pescatore, director of emerging trends at the SANS Institute in Bethesda, Md. (and a former Gartner analyst), says bounty programs like the one Barracuda initiated have continued to garner attention and support.
"The majority of the bug bounty programs seem to have had a positive impact," he says, "meaning, the legitimate software writer was notified of a problem earlier than they would have been otherwise." However, the spectrum of so-called "vulnerability researchers" is quite broad, ranging from casual and occasional dabblers to paid professional white hats -- and doubtless includes some people who are actually "bad guys."