Bug bounty program

[3] These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse and data breaches.

[13] Companies outside the technology industry, including traditionally conservative organizations like the United States Department of Defense, have started using bug bounty programs.

As part of their response, Uber worked with HackerOne to update their bug bounty program policies to explain good faith vulnerability research and disclosure.

Ramses Martinez, director of Yahoo's security team claimed later in a blog post[25] that he was behind the voucher reward program, and that he basically had been paying for them out of his own pocket.

[26] Similarly, when Ecava released the first known bug bounty program for ICS in 2013,[27][28] they were criticized for offering store credits instead of cash which does not incentivize security researchers.

[29] Ecava explained that the program was intended to be initially restrictive and focused on the human safety perspective for the users of IntegraXor SCADA, their ICS software.

With the shift, however, the program was broadened to include a selection of high-risk free software applications and libraries, primarily those designed for networking or for low-level operating system functionality.

[38] Microsoft and Facebook partnered in November 2013 to sponsor The Internet Bug Bounty, a program to offer rewards for reporting hacks and exploits for a broad range of Internet-related software.

In addition, the program offered rewards for broader exploits affecting widely used operating systems and web browsers, as well as the Internet as a whole.

[44] In 2019, The European Commission announced the EU-FOSSA 2 bug bounty initiative for popular open source projects, including Drupal, Apache Tomcat, VLC, 7-zip and KeePass.

The project was co-facilitated by European bug bounty platform Intigriti and HackerOne and resulted in a total of 195 unique and valid vulnerabilities.