Thursday, November 28, 2019

Why do tech companies offer huge sums of money in bounty programs?

Why do tech companies offer huge sums of money in bounty programs?

Security is a very important aspect of technology and therefore companies are always trying to increase and bolster the security in which they provide on their products. Take Apple and its iPhone, one of the major reasons they sell so many devices and are appealing as a brand to so many individuals is because they offer some of the best security you can find on any device today. Due to the sheer significance of providing top-notch security on all devices, companies send millions of dollars in trying to make their devices unpenetrable in order to keep user’s private information well, private. Some companies even go a step further to ensure that whatever they miss or are unable to find themselves still gets brought to their attention and fixed. They do this via bug bounty programs.

In the last few years, almost all of the big Tech companies especially when it comes to smartphones have either introduced a bug bounty program or increased the maximum amount of money that can be paid to security experts who are able to find and report flaws or bugs in certain devices. Google just increased the maximum money payable for spotting and reporting bugs in their Pixel phones to $1.5m. Apple not long ago increased their’s to $1m, while Huawei launched its own bounty program not too long ago. Even though security is important and all,1.5m is still a tone of money. Therefore the question is why do companies go to the extreme by promising such huge amounts of cash? Simply put, the black market. The answer might be simple but the solution, not so much. All these huge sums of money are offered with the aim of convincing security researchers to report problems to the companies who manufacture these devices that have security flaws instead of selling it to criminals on the black market.

The problem is that no matter how much these companies may offer or promise to offer, they can not compete with the black market. Kate Moussouris, who is the chief of security at Luta Security seems to agree with this notion and gave her reason for believing this after Google increased the top reward for the bounty program. She said” Just like when Apple raised their bug bounty to $1.5m, Google’s won't compete with the “black market”[of selling to criminals], which can raise prices any time”.  The only real solution is for companies to continue investing in security research in order to provide near unbreakable systems because if they don’t and a flaw is discovered later, then eight times out of ten the black market will win.