Researchers have proven that bug bounties are a cheaper way for discovering vulnerabilities than hiring full-time bug hunters would be and, in the last few years, many Internet and tech companies have instituted such programs.
The security community has praised those who have, and the companies themselves are satisfied with the results.
Take for example Twitter. Its bug bounty program, started in May 2014, has lead to 5,171 submissions and the discovery of an unspecified number of vulnerabilities, some of which were pretty serious.
The highest amount paid out to a researcher for a vulnerability report was $12,040, but in two years no bug hunter earned the minimum amount for a remote code execution flaw ($15,000).
All in all, the company gave out $322,420 to researchers in two years, and in 2015 alone, a single researcher got over $54,000 for reporting vulnerabilities to the Twitter security team.
“Since launching the program we’ve seen impressive growth in both the number of vulnerabilities reported and our payout amounts, reflecting our rising payout minimums and also the growing community of ethical hackers participating in the program,” says Twitter software engineer Arkadiy Tetelman.
“We’re thankful to all the security researchers who have worked hard to find and report vulnerabilities in Twitter, and we look forward to continuing our good faith relationship in 2016 and beyond.”
With the the rapid growth of the bug bounty economy, they can count on it.