Bug Bounty Myth #2: Only Tech Companies Run Bug Bounties

In our recently released guide, 7 Bug Bounty Myths, Busted, we addressed some common misconceptions about the bug bounty model and bug bounty programs. We’re spending some time each week to take a deeper dive at those myths one by one. Last week we talked about the misconception that bug bounties are all public, and are open to everyone. Today, we’re addressing a related misconception regarding the types of companies engaging with the bug bounty model.

Myth #2: Only tech companies run bug bounty programs

By taking a quick look at our public programs page, our customers page, and our ‘List’ page, it’s clear that this isn’t true.

It is true that many early bug bounty programs such as Google’s VRP, the Facebook Bug Bounty, Microsoft’s bug bounty program and more, were all run by tech companies. And yes, the first bug bounty launched by Netscape 21 years ago, and the several that followed after were also run by tech companies. 

Today, however, the bug bounty space is very different. All kinds of companies are running bug bounty programs, not just technology companies.

While bug bounties have been used for more than 20 years, widespread adoption by enterprise organizations has just begun to take off within the last few. Private and public bug bounty programs provide an opportunity to level the cybersecurity playing field — by arming complex organizations with the strength and expertise to combat constant external threats

What companies run bug bounty programs?

Our public programs run the gamut, from B2B technology companies such as Barracuda and consumer Internet companies such as Pinterest, to conservative financial bodies like Western Union and automotive manufacturers such as Fiat Chrysler. Private programs also allow more conservative organizations to run bug bounty programs with more control.

  • Financial Services: The financial services sector is a clear target for attackers, and as these organizations get more complex, they’ve become increasingly difficult to defend. In our Financial Services Industry Report, you can learn more about why companies like Western Union and recently launched MasterCard are improving their product security.
  • Automotive: In the past few years, more automakers are being forced to look to the crowd to increase their talent pool. Car hacking isn’t a skill set that’s easy to hire for. Thus, the crowd expands testing resources for companies like Fiat Chrysler Automotive and Tesla.
  • Retail and E-Commerce: Many of our customers in the e-commerce and retail industry including online marketplace Etsy, travel search engine Skyscanner, and online retailer Jet.com, are seeing tremendous results compared to traditional security assessments. Digital loss prevention company Digital Safety is also utilizing the crowd in interesting ways.
  • IT Security: Security organizations are ‘practicing what they preach’ by augmenting their existing appsec programs with the crowd. Okta has been running a successful private bug bounty for years, and others such as OWASP,1Password and Kenna Security are utilizing public bounty programs to encourage security research.
  • Education: As education technology emerges, this sector is also beginning to improve security testing measures. Instructure, the organization behind Canvas Learning Management System, has always been committed to their product security and has done so with the crowd for years.
  • Healthcare: Although adoption through this sector is just beginning, it’s becoming clear how important application security are for these organizations. Zephyr Health, one of our customers, is on the forefront of innovative and improved security testing practices.

These are just a few sectors–in addition to the ‘technology’ companies that popularized this model–that are starting to make the most out of the crowdsourced economy. We look forward to supporting this trend.

Want to learn more about common misconceptions around bug bounty programs? Download our report, and subscribe to our blog at right to get more in-depth commentary on the seven bug bounty myths in the coming weeks.