Whether that’s happening or not is, at least at the moment, essentially drowned out by the sheer number of bug bounty programs in existence and the number of hackers hoping to cash in from them.
According to one list from vpnMentor, there are 734 programs in operation this year, not just from the predictable giants like Google, Apple, Facebook, Microsoft, Alibaba and Amazon Web Services, but seemingly everybody else too, from Craigslist to Dropbox, GitHub to GoDaddy, Netflix to PayPal, the United Nations to United Airlines, WordPress to Walmart and Yahoo to Yelp.
And HackerOne, a company that hosts bug bounty programs, says more than 300,000 people have signed up for them, although critics say some of those are zombie accounts.
The surface appeal to those involved is obvious. For the companies, it’s kind of like crowdsourcing your security. You get thousands of eyes—typically those of some of the best white hat (i.e., ethical) hackers—on your software, looking to find weaknesses.
If they find problems, you agree to pay them—the amount depends on the severity of the vulnerability—but you don’t have to put them on the payroll full time.
And of course it is vastly cheaper to pay anybody, on staff or not, to find bugs in your network, system or applications than to deal with a major data breach, with the potential to cause what is now a well-known list of horrors—major brand damage, possible fines or other sanctions, liability that can run into the hundreds of millions, etc.