Aperture Podcast: Dennis Fisher on ‘When Bug Bounties Went Boom’
By Michael Mimoso | September 22, 2021
Bug bounty programs are today a normalized part of information security, but that wasn’t always the case. Researchers who probed software, hardware, web-based applications and more for exploitable vulnerabilities were sometimes met with threats of legal action from vendors, and in some cases, even labeled extortionists.
Relatively quickly, however, during the last 15 years, bug bounty programs are now the accepted norm for compensating legitimate researchers for their work in finding vulnerabilities and coordinating disclosures with affected vendors.
On this episode of the Aperture Podcast, Decipher Editor in Chief Dennis Fisher joins to discuss a three-part series he wrote that goes back in time to the early days of vulnerability research featuring the words of those who laid the foundation for what today is a lucrative industry within information security.
The series is a deep dive into how the hackers and researchers who were working hard to find vulnerabilities—often compensated with just an acknowledgment in a security advisory—turned the industry on its head and began to seek out monetary compensation. The pressure they put on the industry turned into some of the first bounty programs at Mozilla and Google. Even Microsoft, which resisted for so long in paying out awards to researchers, eventually paid out some of the biggest bounties on record.
In this episode, you’ll hear more about:
How Dennis decided to pursue this story and why he chose to do so in an oral history format
The early days of vulnerability research, and the tribulations white-hat hackers faced from vendors and their legal teams
How the No More Free Bugs movement started to turn the tide in favor of researchers
Vendor-sponsored bug bounties from Mozilla, Google, Microsoft, and many others as well as commercial platforms such as HackerOne, Bugcrowd, ZDI, among others that eventually normalized bounties as an industry
The impact of the Hack the Pentagon bounty program
The shadowy world of gray markets for vulnerabilities and exploits