Bug bounty programs work. And It makes sense: White-hat hackers of all stripes and skill levels get a chance to track down critical flaws, improve their security reputation and get paid.
A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse. Bug bounty programs have been implemented by Facebook, Yahoo!, Google, Reddit, Square, Microsoft and now ZOL Zimbabwe has joined the list.
Dark Reading noted these programs are quickly “growing up,” offering bigger pay-outs and using a more formal approach to regulate vulnerability values.
According to ZOL the “Vulnerability Reward Program was created to show our appreciation to those external contributors that help keep our users safe.”
ZOL has stated that any ZOL-owned web service that handles reasonably sensitive user data is intended to be in scope. This includes most of the content in the following domains:
Bugs in ZOL-developed apps as well as some of our network configurations will also qualify. Third-party websites, applications and networks are exempt from this program. So according to the T and Cs you can test all ZOL subdomains.
Bug bounties can be profitable, not only for researchers that can earn cash rewards for their findings but also for companies which can potentially save money otherwise spent on damage control .If a zero-day vulnerability is exploited in the wild before it can be patched it can be very dangers to the companies .
ZOL said that any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program.
The bottom line is that bug bounty programs, both internal and managed, are maturing as corporate risk increases. They are also becoming increasingly structured as more hackers lend their squashing skills to protect corporate data.
If you have found a vulnerability, you can email it to firstname.lastname@example.org . If necessary, they will provide PGP key upon request.