I have reported to you many times about the “bug bounty” programs used by private companies such as Google and Facebook as well as, more recently, the Department of Defense which offer a “bug bounty” to vetted hackers who are able to identify vulnerabilities in their web pages and computer networks. Private companies, such as Google and Facebook have long made cash payments to independent hackers, sometimes called white hat hackers to distinguish them from the criminal, black hat hackers, who identify vulnerabilities in their computer code.  Generally, these bounties are between $500 and $15,000, however, Google has doubled the reward that it will pay anyone who finds a flaw in the security of its Chromebook to $100,000.   Google has paid out more than six million dollars in bug bounties since the program was started in 2010.  Apple, which had long resisted paying bounties to people finding the worms in their Apples announced  last summer that it will pay $25,000 to people who find vulnerabilities in its digital compartments and into its customers’ data, $50,000 for identifying bugs enabling hackers to gain access into iCloud data and a whopping $100,000 to anyone who finds vulnerabilities in Apple’s firmware.

Private security companies also pay bounties for discovering software flaws in the products we use.  Recently, Zerodium tripled the amount it had previously been offering for hackers who can identify previously undiscovered vulnerabilities in iPhones and iPads to 1.5 million dollars.  Companies like Zerodium make their money by selling their information to governments as well as private companies.  Earlier this year, the FBI paid a million dollar bounty to a security company that provided them with a way to hack into the encrypted iPhone of one of the San Bernadino terrorists.


Bug bounties are a positive strategy for businesses and  government to enhance cybersecurity.  Facebook even paid a bounty to a ten year old Finnish boy.  Although the ten year old white hat hacker used his talents for good, the fact that a ten year old boy has the technological sophistication to identify and exploit vulnerabilities in commonly used software programs should give us all a bit of  concern.  As for us as individuals, the best things we can do to protect our own cybersecurity is to keep our anti-virus and anti-malware software up to date on all of our electronic devices and refrain from clicking on links or downloading attachments in all forms of electronic communication until we have absolutely confirmed that the communications are legitimate.  Otherwise, the risk of downloading malware is too great.