A reward offered for the identification of vulnerabilities in software.
Bug bounties are offered in the hope that security vulnerabilities will be identified and reported to the owner of software before they can be exploited by a nefarious actor. In crypto, bug bounties are often offered by cryptocurrency businesses such as protocols, exchanges, and wallet operators.
Bounty schemes can be thought of as competitions between friendly hackers. The schemes are opened publicly — and the company offering the bug bounty is (theoretically) able to patch any identified vulnerabilities before they become known to bad actors.
In most cases, bug bounties are valued according to the severity of the vulnerability identified. According to HackerOne, almost $900,000 in bug bounties were paid out in 2018 alone. The value of individual bounties can be very low — and it is common for companies to pay about $100 as a bounty for the identification of a low-severity vulnerability. However, critical vulnerabilities can sometimes attract bounties of $10,000 or more.
Some hackers make significant sums of money identifying bugs. Guido Vranken, a Dutch researcher, identified 12 bugs in the space of a week — and was paid $120,000 by EOS in return.
From a software owner’s perspective, bug bounties are considered to be a supplementary security activity, used in addition to other proactive measures.
The most important priority for developers is building secure code and minimizing vulnerabilities before shipping a product. However, even the most careful developers will inevitably miss bugs, and some of these may pose security risks. Bug bounties therefore act as an important second line of defence protecting software owners and users from bad actors.