The business landscape has been changed over the last decade by internet and computer use. With all of that accessibility comes vulnerability as businesses are a constant target for hackers across the globe. The job prospects for white hat hackers are on the rise, however, with companies such as Google paying for information on exploits and vulnerabilities through their Vulnerability Reward Program (VRP).
In Google’s case, they have a pay scale that increases with the severity of the exploit:
- $500 for “Moderate” risk
- $1,000 for “High” risk
- $2,000 for “Critical” risk
Google doubles the reward if a fix is provided along with the exploit information. Back in 2013, they paid an individual $50,000 for finding an incredibly critical exploit with the Chrome browser.
When a hacker finds an exploit or a bug, they can sell the information on the Dark Web/ black hat site, exploit the hack themselves or bring the finding to the company and receive a reward. But the exploit must be reported in a certain way, otherwise the reward cannot be redeemed, as was the case with Palestinian Security Researcher Kahalil Shreateh, who posted to Mark Zuckerberg’s personal Facebook wall to prove that the bug report he filed was legitimate. His actions excluded him from collecting his bug bounty through Facebook’s White Hat program.
Google and Facebook aren’t the only companies offering work to hackers. There are even companies like Bugcrowd that uses a crowd-sourced security team to crawl a site for potential vulnerabilities.
Fixing the bugs adds another layer of armor, leaving one less area exposed for a company. Offering a hacker a chance to work legally incentivizes them to report bugs rather than exploit them.