{{Short description|Rewards offered for reporting software bugs}} {{Use American English|date=May 2021}} {{Use mdy dates|date=May 2021}}
A '''bug bounty program''' is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation<ref>{{Cite book|last1=Ding|first1=Aaron Yi|last2=De Jesus|first2=Gianluca Limon|last3=Janssen|first3=Marijn|title=Proceedings of the Eighth International Conference on Telecommunications and Remote Sensing |chapter=Ethical hacking for boosting IoT vulnerability management |date=2019|chapter-url=http://dl.acm.org/citation.cfm?doid=3357767.3357774|series=Ictrs '19|language=en|location=Rhodes, Greece|publisher=ACM Press|pages=49–55|doi=10.1145/3357767.3357774|arxiv=1909.11166|isbn=978-1-4503-7669-3|s2cid=202676146}}</ref> for reporting [[Software bug|bugs]], especially those pertaining to [[Security bug|security]] [[Vulnerability (computing)|vulnerabilities]].<ref>{{Cite journal |last1=Weulen Kranenbarg |first1=Marleen |last2=Holt |first2=Thomas J. |last3=van der Ham |first3=Jeroen |date=2018-11-19 |title=Don't shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure |journal=Crime Science |language=en |volume=7 |issue=1 |pages=16 |doi=10.1186/s40163-018-0090-8 |s2cid=54080134 |issn=2193-7680|doi-access=free |hdl=1871.1/8cdcfab0-9864-46c2-a7b7-a295c8ee511a |hdl-access=free }}</ref> If no financial reward is offered, it is called a '''vulnerability disclosure program'''.{{sfn|Magalhães|2024|p=236}}{{sfn|Jackson|2021|p=6}}
These programs, which can be considered a form of [[crowdsourced]] [[penetration testing]],{{sfn|Magalhães|2024|p=235}} grant permission for unaffiliated individuals—called bug bounty hunters,{{sfn|Lozano |Amir|2018|p=5}} [[White hat (computer security)|white hat]]s or [[Certified ethical hacker|ethical hackers]]{{sfn|Laszka ''et al.''|2018|p=138}}—to find and report vulnerabilities.{{sfn|Magalhães|2024|p=236}} If the developers discover and [[software patch|patch]] bugs before the general public is aware of them, cyberattacks that might have [[Exploit (computer security)|exploit]]ed it are no longer possible.{{sfn|Magalhães|2024|p=236}}
Participants in bug bounty programs come from a variety of countries, and although a primary motivation is monetary reward, there are a variety of other motivations for participating. Hackers could earn much more money [[market for zero-day exploits|for selling]] undisclosed [[zero-day vulnerability|zero-day vulnerabilities]] to brokers, [[spyware]] companies, or government agencies instead of the software vendor. If they search for vulnerabilities outside the scope of bug bounty programs, they might find themselves facing legal threats under [[cybercrime]] laws. The scale of bug bounty programs increased dramatically in the late 2010s.
Some large companies and organizations run and operate their own bug bounty programs, including Microsoft, Facebook, Google, [[Mozilla]], the [[European Union]],{{sfn|Magalhães|2024|p=241}} and the [[United States federal government]].<ref>{{cite magazine|url=https://www.wired.com/story/hack-the-pentagon-bug-bounty-results/|title=The Pentagon Opened up to Hackers - And Fixed Thousands of Bugs|date=10 November 2017|magazine=Wired|accessdate=25 May 2018}}</ref> Other companies offer bug bounties via platforms such as [[HackerOne]].
== History == In 1851, Alfred Charles Hobbs was paid US$20,000 (adjusted for inflation) to pick a lock.{{sfn|Jackson|2021|p=3}} In 1983, the Hunter & Ready company posted an advertisement with the tagline "Get a bug if you find a bug", offering to reward hackers who discovered bugs in its VRTX operating system a [[Volkswagen Beetle]] car.<ref>{{Cite web |title=VRTX poster - 102782474 - CHM |url=https://www.computerhistory.org/collections/catalog/102782474/ |access-date=2026-03-20 |website=www.computerhistory.org |language=en}}</ref><ref>{{Cite web |last=Conger |first=Kate |date=2017-01-19 |title=Hacking the Army |url=https://techcrunch.com/2017/01/19/hacking-the-army/ |access-date=2026-03-20 |website=TechCrunch |language=en-US}}</ref> In 1995, [[Netscape]] launched its bug bounty program, for the [[Software release life cycle#Beta|beta]] version of its Netscape Navigator 2.0 browser.{{sfn|Jackson|2021|p=3}}<ref>{{cite web |title=Bounty attracts bug busters |url=https://www.cnet.com/tech/services-and-software/bounty-attracts-bug-busters/ |website=CNET |access-date=17 October 2023 |language=en |date=13 June 1997}}</ref><ref>{{cite web |last1=Friis-Jensen |first1=Esben |title=The History of Bug Bounty Programs |url=https://blog.cobalt.io/the-history-of-bug-bounty-programs-50def4dcaab3?gi=55b2381383bd |website=Cobalt.io |access-date=17 October 2023 |archive-url=https://web.archive.org/web/20200316125316/https://blog.cobalt.io/the-history-of-bug-bounty-programs |archive-date=16 March 2020 |date=11 April 2014 |url-status=dead}}</ref> Later on, other enterprises opened their own bug bounty programs. These were supplemented by [[crowdsourcing]] platforms that made it easier for professionals to find bug bounties.{{sfn|Jackson|2021|p=3}}
==Motivation== [[File:Vulnerability timeline.png|thumb|Vulnerability timeline if discovered first by a malicious actor. If the company becomes aware of the vulnerability first, a patch can be developed that prevents malicious actors from exploiting that vulnerability.{{sfn|Magalhães|2024|p=236}}|upright=1.4]] Despite developers' goal of delivering a product that works entirely as intended, virtually all [[software bugs|software]] contains bugs.{{sfn|Ablon|Bogart|2017|p=1}}{{sfn|Magalhães|2024|p=235}} If a bug creates a security risk, it is called a [[vulnerability (computing)|vulnerability]], and if the vendor is unaware of it, it is called a [[zero-day vulnerability|zero-day]].{{sfn|Ablon|Bogart|2017|pp=iii, 2}}{{sfn|Sood|Enbody|2014|p=1}} Vulnerabilities vary in their potential to be [[Exploit (computer security)|exploit]]ed by malicious actors. Some are not usable at all, while others can be used to disrupt the device with a [[denial of service attack]]. The most valuable allow the attacker to [[code injection|inject]] and run their own code, without the user being aware of it.{{sfn|Ablon|Bogart|2017|p=2}} The [[cyberattack#Targets and consequences|harms of an attack can be severe]].{{sfn|Magalhães|2024|pp=235–236}}
Organizations seeking to improve security test their systems to see if they can be breached.{{sfn|Magalhães|2024|p=235}} Many contract with external services that conduct [[penetration testing]], but this is not enough to find all vulnerabilities, motivating some companies to supplement with crowdsourced information.{{sfn|Magalhães|2024|p=236}} Many companies are skeptical of third-party reports,{{sfn|Magalhães|2024|pp=239–240}} afraid that these programs will increase malicious activity, cost too much money, or bring fraudulent reports. Alternatively, bug bounty programs might be ignored because of confidence in their application's security or in favor of other security measures.{{sfn|Jackson|2021|p=4}} Some studies have found that the cost per vulnerability found is much lower via bounty programs rather than by hiring software engineers to search for vulnerabilities.{{sfn|Magalhães|2024|pp=239–240}}
== Rewards == The size of the reward offered varies on such factors such as the size of the company, the difficulty of finding the vulnerability, and how severe its effects could be if exploited.{{sfn|Lozano |Amir|2018|p=5}} Successful bug bounty hunters can often make more than [[software development|software developers]].{{sfn|Lozano |Amir|2018|p=12}} Many bug bounty programs are focused on [[web application]]s.{{sfn|Sinha|2019|p=219}}
In August 2013, a [[Palestinian]] computer science student reported a vulnerability that allowed anyone to post a video on an arbitrary Facebook account. According to the email communication between the student and Facebook, he attempted to report the vulnerability using Facebook's bug bounty program but the student was misunderstood by Facebook's engineers. Later he exploited the vulnerability using the Facebook profile of [[Mark Zuckerberg]], resulting in Facebook refusing to pay him a bounty.<ref>{{cite web|url=https://edition.cnn.com/2013/08/19/tech/social-media/zuckerberg-facebook-hack/index.html|title=Zuckerberg's Facebook page hacked to prove security flaw|date=20 August 2013|publisher=CNN|accessdate=17 November 2019}}</ref>
[[File:Facebook t-shirt with whitehat debit card for Hackers.jpg|thumb|A Facebook "White Hat" debit card, which was given to researchers who reported security bugs]]
[[Facebook]] started paying researchers who find and report security bugs by issuing them custom-branded "White Hat" [[debit card]]s that can be reloaded with funds each time the researchers discover new flaws.<ref>{{cite web|last=Mills|first=Elinor|title=Facebook whitehat Debit card|url=http://www.cnet.com/news/facebook-hands-out-white-hat-debit-cards-to-hackers/|publisher=CNET|date=December 31, 2011 }}</ref>
In 2016, [[Uber]] experienced a security incident when an individual accessed the personal information of 57 million Uber users worldwide. The individual supposedly demanded a ransom of $100,000 in order to destroy rather than publish the data. In Congressional testimony, Uber CISO indicated that the company verified that the data had been destroyed before paying the $100,000.<ref>{{cite web|url=https://www.commerce.senate.gov/public/_cache/files/7d70e53e-73e9-4336-a100-67b233084f12/75728554E990488D71625DFA69B05494.uber---john-flynn---testimony.pdf|title=Testimony of John Flynn, Chief Information Security Officer, Uber Technologies, Inc|date=6 February 2018|publisher=United States Senate|accessdate=4 June 2018}}</ref> Uber's [[Chief Information Security Officer]] expressed regret for not disclosing the incident in 2016. As part of their response, Uber worked with [[HackerOne]] to update their bug bounty program policies to explain good faith vulnerability research and disclosure.<ref>{{cite web|url=https://threatpost.com/uber-tightens-bug-bounty-extortion-policies/131512/|title=Uber Tightens Bug Bounty Extortion Policy|date=27 April 2018|publisher=Threat Post|accessdate=4 June 2018}}</ref>
[[Yahoo!]] was severely criticized for sending out Yahoo! T-shirts as reward to the Security Researchers for finding and reporting security vulnerabilities in Yahoo!.<ref>{{cite web|last=Osborne|first=Charlie|title=Yahoo changes bug bounty policy following 't-shirt gate'|url=http://www.zdnet.com/yahoo-changes-bug-bounty-policy-following-t-shirt-gate-7000021508|publisher=[[ZDNet]]}}</ref> When [[Ecava]] released the first known bug bounty program for [[Industrial control system|ICS]] in 2013,<ref name=digitalbond>{{cite web |last1=Toecker |first1=Michael |title=More on IntegraXor's Bug Bounty Program |url=http://www.digitalbond.com/blog/2013/07/23/more-on-integraxors-bug-bounty-program/ |publisher=Digital Bond |accessdate=21 May 2019 |date=23 July 2013}}</ref><ref name=cso>{{cite web |last1=Ragan |first1=Steve |title=SCADA vendor faces public backlash over bug bounty program |url=https://www.csoonline.com/article/2133737/scada-vendor-faces-public-backlash-over-bug-bounty-program.html |publisher=CSO |accessdate=21 May 2019 |date=18 July 2013}}</ref> they were criticized for offering store credits instead of cash which does not incentivize security researchers.<ref name=secweek>{{cite web |last1=Rashi |first1=Fahmida Y. |title=SCADA Vendor Bashed Over 'Pathetic' Bug Bounty Program |url=https://www.securityweek.com/scada-vendor-bashed-over-pathetic-bug-bounty-program |publisher=Security Week |accessdate=21 May 2019 |date=16 July 2013}}</ref> Ecava explained that the program was intended to be initially restrictive and focused on the human safety perspective for the users of [[IntegraXor SCADA]], their ICS software.<ref name=digitalbond /><ref name=cso />
Some bug bounties programs require researchers to sign a [[non-disclosure agreement]] to receive pay or safe harbor benefits from the bug bounty program. This practice has been criticized on ethical grounds as enabling the company to sweep knowledge of vulnerabilities under the rug.<ref>{{Cite web |title=How Zoom handled vulnerability shows the dark side of bug bounty's |url=https://proprivacy.com/privacy-news/dark-side-of-bug-bountys |access-date=2023-05-17 |website=ProPrivacy.com |language=en}}</ref><ref>{{Cite web |last=Porup |first=J. M. |date=2020-04-02 |title=Bug bounty platforms buy researcher silence, violate labor laws, critics say |url=https://www.csoonline.com/article/3535888/bug-bounty-platforms-buy-researcher-silence-violate-labor-laws-critics-say.html |access-date=2023-05-17 |website=CSO Online |language=en}}</ref>{{sfn|Magalhães|2024|p=246}}
== Reports ==
Because submissions are open to anyone, a large number of reports (estimated at 50-70 percent for [[HackerOne]], the largest platform) are invalid.{{sfn|Laszka ''et al.''|2018|p=139}}{{sfn|Magalhães|2024|p=237}} One study found that the largest number of reports were rejected as previously known vulnerabilities, followed by [[false positive]]s, out-of-scope, duplicates, and for lack of [[proof-of-concept]]. Another study found that bounty programs offering more money received a higher number of valid reports.{{sfn|Magalhães|2024|pp=237–238}} One cause of invalid reports is that it may be easier for hackers to submit a report rather than do additional work to check their solution.{{sfn|Laszka ''et al.''|2016|p=162}} Some bug bounty platforms, including HackerOne, have implemented measures to cut down on the number of invalid reports.{{sfn|Laszka ''et al.''|2016|p=162}} Bug bounty programs may be invite-only to trusted security researchers instead of public.{{sfn|Lozano |Amir|2018|p=8}} To validate the vulnerability and receive an award, the hacker usually has to create an [[Exploit (computer security)|exploit]] to prove that the vulnerability found is a genuine [[security bug]].{{sfn|Lozano |Amir|2018|p=5}} The most commonly reported vulnerabilities in bug bounty programs include [[SQL injection]], [[cross-site scripting]] (XSS), and design flaws.{{sfn|Magazinius ''et al.''|2021|p=97}}
==Participants== Participants in bug bounty programs come from a variety of countries. In a survey of hackers on the [[HackerOne]] platform, 19 percent gave their location as the United States.{{sfn|Magalhães|2024|p=246}} Anyone can make reports, regardless of their educational background and age.{{sfn|Lozano |Amir|2018|pp=11-12}} The majority of reports come from a relatively small number of hackers.{{sfn|Magazinius ''et al.''|2021|p=96}} The number of reporters and reports has increased dramatically in the late 2010s.{{sfn|Magazinius ''et al.''|2021|p=95}}
Although the most-reported motivation of bug bounty participants is the financial reward from reporting,{{sfn|Magazinius ''et al.''|2021|p=100}} other motivating factors include the potential for recognition, intellectual challenge, learning, and job opportunities.{{sfn| Libicki|Ablon|Webb|2015|pp=46-47}}{{sfn|Magalhães|2024|p=236}}{{sfn|Laszka ''et al.''|2018|p=138}} A 2017 study published in ''[[Journal of Cybersecurity]]'' found that newer bug bounty programs attracted more researchers, despite older ones offering higher financial rewards.<ref>{{cite journal |last1=Maillart |first1=Thomas |last2=Zhao |first2=Mingyi |last3=Grossklags |first3=Jens |last4=Chuang |first4=John |title=Given enough eyeballs, all bugs are shallow? Revisiting Eric Raymond with bug bounty programs |journal=Journal of Cybersecurity |date=2017 |volume=3 |issue=2 |pages=81–90 |doi=10.1093/cybsec/tyx008|arxiv=1608.03445 }}</ref>
== Notable programs == ===Corporate===
In October 2013, [[Google]] announced a major change to its Vulnerability Reward Program. Previously, it had been a bug bounty program covering many Google products. With the shift, however, the program was broadened to include a selection of high-risk [[free software]] applications and [[Library (computing)|libraries]], primarily those designed for [[Computer networking|networking]] or for low-level [[operating system]] functionality. Submissions that Google found adherent to the guidelines would be eligible for rewards ranging from $500 to $3,133.70.<ref>{{cite web|url=https://arstechnica.com/security/2013/10/google-offers-leet-cash-prizes-for-updates-to-linux-and-other-os-software/|title=Google offers "leet" cash prizes for updates to Linux and other OS software|last=Goodin|first=Dan|date=9 October 2013|publisher=Ars Technica|accessdate=11 March 2014}}</ref><ref>{{cite web|url=http://googleonlinesecurity.blogspot.com/2013/10/going-beyond-vulnerability-rewards.html|title=Going beyond vulnerability rewards|last=Zalewski|first=Michal|date=9 October 2013|publisher=Google Online Security Blog|accessdate=11 March 2014}}</ref> In 2017, Google expanded their program to cover vulnerabilities found in applications developed by third parties and made available through the [[Google Play]] Store.<ref>{{cite web|url=https://www.theverge.com/2017/10/22/16516670/google-play-security-rewards-program-vulnerabilities-bug-bounty/|title=Google launched a new bug bounty program to root out vulnerabilities in third-party apps on Google Play|date=22 October 2017|publisher=The Verge|accessdate=4 June 2018}}</ref> Google's Vulnerability Rewards Program now includes vulnerabilities found in Google, Google Cloud, Android, and Chrome products, and rewards up to $31,337.<ref>{{cite web|url=https://www.google.com/about/appsecurity/reward-program/|title=Vulnerability Assessment Reward Program|accessdate=23 March 2020}}</ref>
[[Microsoft]] and [[Facebook]] partnered in November 2013 to sponsor The Internet Bug Bounty, a program to offer rewards for reporting hacks and exploits for a broad range of Internet-related software.<ref>{{cite web|url=https://arstechnica.com/security/2013/11/now-theres-a-bug-bounty-program-for-the-whole-internet/|title=Now there's a bug bounty program for the whole Internet|last=Goodin|first=Dan|date=6 November 2013|publisher=Ars Technica|accessdate=11 March 2014}}</ref> In 2017, [[GitHub]] and The [[Ford Foundation]] sponsored the initiative, which is managed by volunteers including from Uber, Microsoft,<ref name="Facebook" /> Adobe, HackerOne, GitHub, [[NCC Group]], and Signal Sciences.<ref>{{cite web|url=https://venturebeat.com/2017/07/21/facebook-github-and-the-ford-foundation-donate-300000-to-bug-bounty-program-for-internet-infrastructure/|title=Facebook, GitHub, and the Ford Foundation donate $300,000 to bug bounty program for internet infrastructure|date=21 July 2017|publisher= VentureBeat|accessdate=4 June 2018}}</ref>
===Government=== In March 2016, [[Peter Cook (press secretary)|Peter Cook]] announced the US federal government's first bug bounty program, the "Hack the Pentagon" program.<ref>{{Cite web|url=http://www.defense.gov/News-Article-View/Article/684616/dod-invites-vetted-specialists-to-hack-the-pentagon|archive-url=https://web.archive.org/web/20160303101413/http://www.defense.gov/News-Article-View/Article/684616/dod-invites-vetted-specialists-to-hack-the-pentagon|url-status=dead|archive-date=March 3, 2016|title=DoD Invites Vetted Specialists to 'Hack' the Pentagon|website=U.S. DEPARTMENT OF DEFENSE|access-date=2016-06-21}}</ref>
In 2019, The [[European Commission]] announced the EU-FOSSA 2 bug bounty initiative for popular [[open source]] projects, including [[Drupal]], [[Apache Tomcat]], [[VLC media player|VLC]], [[7-zip]] and [[KeePass]]. The project was co-facilitated by European bug bounty platform Intigriti and HackerOne and resulted in a total of 195 unique and valid vulnerabilities.<ref>{{Cite web|last=|first=|date=|title=EU-FOSSA 2 - Bug Bounties Summary|url=https://joinup.ec.europa.eu/sites/default/files/custom-page/attachment/2020-06/EU-FOSSA%202%20-%20D3.1%20Bug%20Bounties%20Summary%20Final_0.pdf|access-date=|website=}}</ref>
In 2025, the Government of the Czech Republic launched its official bug bounty program on the Hackrate Ethical Hacking Platform.<ref>{{Cite web |title=Ministerstvo pro místní rozvoj ČR - MMR nabízí odměny za odhalení bezpečnostních děr ve svých IT systémech |url=https://mmr.gov.cz/cs/ostatni/web/novinky/mmr-nabizi-odmeny-za-odhaleni-bezpecnostnich-der-v |access-date=2025-10-09 |website=mmr.gov.cz |language=cs-CZ}}</ref>
===Platforms===
There are some platforms—the largest being [[HackerOne]]—that run bug bounty programs on behalf of software vendors and pay rewards set by the vendor.{{sfn|Magalhães|2024|p=241}} Others include [[Cobalt (cybersecurity)|Cobalt]], [[Bugcrowd]], and Synact.{{sfn|Sinha|2019|pp=3-4}}{{sfn|Laszka ''et al.''|2016|p=161}}{{sfn|Lozano |Amir|2018|p=7}} [[Open Bug Bounty]] is a crowd security bug bounty program established in 2014 that allows individuals to post website and web application security vulnerabilities in the hope of a reward from affected website operators.<ref>{{Cite web |last=Dutta |first=Payel |date=2018-02-19 |title=Open Bug Bounty: 100,000 fixed vulnerabilities and ISO 29147 |url=https://www.techworm.net/2018/02/open-bug-bounty-100000-fixed-vulnerabilities-iso-29147.html |access-date=2023-04-10 |website=TechWorm |language=en-US}}</ref>
==Research==
{{as of|2021}}, most quantitative research on bug bounty programs has focused on publicly accessible datasets. There has not been published research into bug bounties for [[safety-critical system]]s, which have become increasingly connected to the Internet. Most of the existing research is quantitative and created by computer science experts, with a lack of multidisciplinary perspectives incorporating the insights of such fields as economics, law and philosophy.{{sfn|Magazinius ''et al.''|2021|p=100}}
==Legality== Vulnerability discovery is similar in many respects to [[cyberattack]]. The actions of even well-intentioned hackers may breach criminal laws passed to prosecute cybercriminals. Most hackers are not legal experts and lack of knowledge of the law in their jurisdiction.{{sfn|Magalhães|2024|p=247}} It is common for vulnerability discoverers to receive legal threats after disclosing a vulnerability.{{sfn|Jackson|2021|p=7}}
Although nearly all bug bounty programs promise a [[safe harbor (law)|safe harbor]] for reports complying with their policies,{{sfn|Magalhães|2024|p=247}} if the discovered vulnerability does not fall into a previously established bug bounty program, the company involved could report it as an illegal cyberattack.{{sfn|Magalhães|2024|p=247}}{{sfn|Jackson|2021|p=7}} In China, some vulnerability reporters have been arrested and prosecuted, including the leaders of [[WooYun]]—the oldest and largest vulnerability reporting platform in the country.{{sfn|Magalhães|2024|p=247}}
==Alternative vulnerability markets== {{see also|Market for zero-day exploits}} Not all companies respond positively to disclosures, as they can cause legal liability and operational overhead. It is not uncommon to receive [[cease-and-desist]] letters from software vendors after disclosing a vulnerability for free.{{sfn|Strout|2023|p=36}} Some individuals who find a previously unknown, [[zero-day vulnerability]] do not sell it to the vendor directly or indirectly via a third-party bug bounty program. According to one study, the most commonly cited reasons for not reporting a bug were threatening language on the website, lack of an obvious place to report, and lack of response to earlier bug reports.{{sfn|Magalhães|2024|pp=241–242}}
Discoverers can earn more money—more than US$1 million in some cases—by selling the vulnerability to brokers such as [[Zerodium]], [[spyware]] companies such as [[NSO Group]], governments, or intelligence agencies. Government agencies may use the vulnerability to cause a [[cyberattack]], stockpile the vulnerability, or notify the vendor.{{sfn| Libicki|Ablon|Webb|2015|p=44}}{{sfn|Sood|Enbody|2014|p=1}}{{sfn|Magalhães|2024|p=241}} Some hackers also sell the vulnerability they found to a criminal group.{{sfn| Libicki|Ablon|Webb|2015|pp=44, 46}} In 2015, the markets for government and crime were estimated at at least ten times larger than the bug bounty market.{{sfn| Libicki|Ablon|Webb|2015|p=44}}
== See also == * [[Bounty hunter]] * [[Cyber-arms industry]] * [[Knuth reward check]] (Program in 1980) * [[Open-source bounty]] * [[White hat (computer security)]] * [[Zerodium]]
==References== {{reflist|1=30em|refs= <ref name="Facebook">{{cite web |first=Alaa |last=Abdulridha |url=https://infosecwriteups.com/how-i-hacked-facebook-part-two-ffab96d57b19 |title=How I hacked Facebook: Part Two |publisher=[[infosecwriteups]] |date=2021-03-18 |access-date=2021-03-18}}</ref> }}
==Sources== {{refbegin|indent=yes}} *{{cite book |last1=Ablon |first1=Lillian |last2=Bogart |first2=Andy |title=Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits |date=2017 |publisher=Rand Corporation |isbn=978-0-8330-9761-3 |language=en|url=https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf}} *{{cite book |last1=Jackson |first1=John |title=Corporate Cybersecurity: Identifying Risks and the Bug Bounty Program |date=2021 |publisher=John Wiley & Sons |isbn=978-1-119-78252-0 |language=en}} *{{cite book |last1=Laszka |first1=Aron |last2=Zhao |first2=Mingyi |last3=Grossklags |first3=Jens |title=Banishing Misaligned Incentives for Validating Reports in Bug-Bounty Platforms |date=2016 |publisher=Springer International Publishing |isbn=978-3-319-45741-3 |pages=161–178 |language=en|ref={{sfnref|Laszka et al.|2016}}}} *{{cite book |last1=Laszka |first1=Aron |last2=Zhao |first2=Mingyi |last3=Malbari |first3=Akash |last4=Grossklags |first4=Jens |title=The Rules of Engagement for Bug Bounty Programs |date=2018 |publisher=Springer |isbn=978-3-662-58387-6 |pages=138–159 |ref={{sfnref|Laszka et al.|2018}} |language=en}} *{{cite book |last1=Libicki |first1=Martin C. |last2=Ablon |first2=Lillian |last3=Webb |first3=Tim|url=https://www.rand.org/content/dam/rand/pubs/research_reports/RR1000/RR1024/RAND_RR1024.pdf |title=The Defender's Dilemma: Charting a Course Toward Cybersecurity |date=2015 |publisher=Rand Corporation |isbn=978-0-8330-8911-3 |language=en}} *{{cite book |last1=Lozano |first1=Carlos A. |last2=Amir |first2=Shahmeer |title=Bug Bounty Hunting Essentials: Quick-paced guide to help white-hat hackers get through bug bounty programs |date=2018 |publisher=Packt |isbn=978-1-78883-443-8 |language=en}} *{{cite book |last1=Magalhães |first1=João Paulo |title=Legal Developments on Cybersecurity and Related Fields |date=2024 |publisher=Springer International Publishing |isbn=978-3-031-41820-4 |pages=235–250 |url=https://link.springer.com/chapter/10.1007/978-3-031-41820-4_14 |language=en |chapter=Bug Bounties: Ethical and Legal Aspects}} *{{cite book |last1=Magazinius |first1=Ana |last2=Mellegård |first2=Niklas |last3=Olsson |first3=Linda |title=What We Know About Bug Bounty Programs - An Exploratory Systematic Mapping Study |date=2021 |publisher=Springer International Publishing |isbn=978-3-030-55958-8 |pages=89–106 |ref={{sfnref|Magazinius et al.|2021}} |language=en}} *{{cite book |last1=Sinha |first1=Sanjib |title=Bug Bounty Hunting for Web Security: Find and Exploit Vulnerabilities in Web sites and Applications |date=2019 |publisher=Apress |isbn=978-1-4842-5391-5 |language=en}} *{{cite book |last1=Sood |first1=Aditya |last2=Enbody |first2=Richard |title=Targeted Cyber Attacks: Multi-staged Attacks Driven by Exploits and Malware |date=2014 |publisher=Syngress |isbn=978-0-12-800619-1 |language=en}} *{{cite book |last1=Strout |first1=Benjamin |title=The Vulnerability Researcher's Handbook: A comprehensive guide to discovering, reporting, and publishing security vulnerabilities |date=2023 |publisher=Packt Publishing |isbn=978-1-80324-356-6 |language=en}} {{refend}}
[[Category:Internet security]] [[Category:Cyberwarfare]] [[Category:Competitions]] [[Category:Hacking (computer security)]]