From the Spring 2021 Issue

How Much is Too Much When Paying Out a Reward for a Vulnerability?

Alex Haynes
CISO | Cheshire Datasystems Ltd.

  •  
  •  
  •  
  •  
  •  
  •  

There has been a lot of publicity surrounding 'bug bounty' programs that pay out seemingly large rewards for finding vulnerabilities in web applications. This trend has increased over the years as crowdsourced security programs have matured since their inception almost 10 years ago and their adoption has become mainstream. Should we pay out large sums of money for fixing the symptoms and not the cause?

For example, Zoom has recently increased their maximum pay-outs for vulnerabilities to $50,000 as part of their crowdsourced security program (See Figure 1 below). Such lofty . . .

Leave a Comment