What is a Breach Discovery Bounty?
You may have heard of a “Bug Bounty” before? It is a program offered by many websites and software developers pay compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. These are usually small issues that have been overlooked or ways the bad guys could exploit and abuse. A “Breach Discovery Bounty”, is the same concept of rewarding the researchers but it also means something far bigger has been identified and discovered. When a company or organization has exposed the private data of your customers or users it is not just a crisis but could also be a legal liability. This means the discovery goes from the data was possibly leaked to evidence based confirmation that the data was leaked publicly.
Offering a Discovery Bounty and rewarding the security researchers is a fairly common practice among large companies but even small and mid-sized businesses are opening up to the idea. Google paid $3 million dollars in 2016 to those who identified flaws or exploits and PornHub offers up to $25k. These companies understand the value in having the “good guys” inform them of how the “bad guys” can access or abuse their data or services.
Security researchers who identify these data breaches and help close public access are responsible for reducing the time that data was exposed. The longer data is exposed the higher the risks of cyber criminals accessing and using the data to commit fraud. The work of a Security Researcher to discover, notify, and help close access to a data breach could theoretically save a organization’s reputation and help mitigate the financial damages or legal costs of their data being used by cyber criminals and it coming back on them.