There's more money to be made from bug hunting in Microsoft code after Redmond announced its 10th active bug hunting reward scheme, the Azure DevOps Bounty Program.
Formerly known as Visual Studio Team Services, the new Azure DevOps Services provides developers with collaborative cloud coding and automation. The bug bounty program also covers on-premises products like Azure DevOps Server and Team Foundation Server.
In a blog post, Buck Hodges, director of engineering for Azure DevOps, said the program will complement existing security practices like code reviews, security scans and red team testing.
"Our Bounty program rewards independent security researchers who find flaws and report them to us responsibly," he said. "We’ll publicly recognize the researchers who report these security issues, and for high-severity bugs we’ll present payments of up to $20,000."
Bug bounty programs have been proliferating, according to HackerOne, a biz that runs such contests. In its 2018 Hacker-Powered Security Report, the firm said bug bounty programs jumped 38 per cent in North America, 37 per cent in Asia, 26 per cent in Europe, the Middle East, and Africa, and 143 per cent in Latin America.
Since the firm launched in 2012 through June 2018 – when HackerOne's report was issued – organizations have paid hackers more than $31m in bounties, a third of that in the 12 months prior to the report's publication.
That may sound like a substantial sum but security biz Trail of Bits recently cautioned that a few highly skilled researchers collect most of the money while the majority of bug hunters collect very little.
Sean Roesner, a UK-based security researcher, wrote recently about the problems facing bug hunters now that bounty programs have become more common and more exploitative, asking hackers to work for free before they can join VIP programs that pay.
Calling such bug bounty programs overhyped and unsustainable, he laments how crowded the space has become crowded with would-be bounty hunters. "I don’t recommend anyone does this full time and bug bounties should only be treated as a side hobby in my opinion," he said, echoing concerns raised by Trail of Bits.
At the same time, even if the median annual earnings figure for a bug bounty hunter isn't very much ($34,255), a small number of skilled security researchers do rather well. Tommy DeVoss, a security expert based in Richmond, Virginia estimates that he earned about $500,000 last year across the various platforms in which he participates.
"I love the bug bounty programs, and see tremendous value in them as we are helping to secure countless companies systems," said DeVoss in an email to The Register.
"I just don't agree with billion dollar companies running unpaid programs for the masses and private programs for small groups of people. It's like saying their time is worth being compensated for, while the others aren't." ®