‘Bug bounties’ reward white-hat hackers

From Facebook to UPC, Google to Microsoft, companies are turning to hackers who use information for good

The discovery of a security flaw or cyber vulnerability by hackers used to be every company’s worst nightmare. Internal files, emails and source code could be downloaded, financial information such as credit-card details could be stolen, and personal information could be leaked.

While the war against cyber criminals rages on, more and more companies are engaging with the hacker community to find security flaws.

From Facebook to UPC, Google to Microsoft, companies are turning to so-called white-hat hackers (hackers who use information for good), incentivising them to identify security gaps, before cyber criminals use them to steal information or crash websites.

The hackers are offered rewards in the form of a “bug bounty”, some of which are as high as $100,000 for identifying security issues.


Facebook has paid out more than $3 million in bug bounties, Mozilla Foundation has paid out more than $1.6 million since launching its bounty programme, and Google has paid out more than $1.7 million.

Two months ago, United Airlines joined the lengthening list of companies offering hackers incentives to report bugs privately. In an effort to bolster web security, the airline offered a bug bounty in the form of frequent-flier miles (which can be used to fly places free of charge), to hackers who uncovered cyber risks and flaws within its systems.

Last week the airline awarded two hackers with one million air miles each. One of the hackers was Jordan Wiens, an American cyber-vulnerability researcher. He found a bug that could have theoretically allowed hackers to take over United's websites. News headlines rang out with the story of millions of frequent-flier miles being awarded by United to the most unlikely of recipients: hackers.

The bigger untold story, however, is how many more companies will have to start doing the same. Bug bounties are big business and rewarding good hackers is the new normal. Companies that do not stay on top of this trend could end up with a security breach, and a lack of sympathy from security researchers and the general public.