The Mandalorian pictured here is not a bug bounty hunter. We wish he was, though. That'd be really cool. (Photo by Evgeniy SOFRONEYEV / AFP)

The Mandalorian pictured here is not a bug bounty hunter. We wish he was, though. That’d be really cool. (Photo by Evgeniy SOFRONEYEV / AFP)

Bug Bounty programs gaining traction in APAC

Bug bounty programs are gaining popularity in the Asia Pacific, as such programs are offered to those who can expose bugs, especially security exploits and vulnerabilities, in existing systems.

The individuals or teams who take part in bug bounty programs are normally computer programmers. However, as bounties get more lucrative, ethical hackers are now also finding such programs to be a better way of making a living.

Unlike bounty hunters in Star Wars, bug bounty programs seek to expose vulnerabilities in various systems in an organization.

Tech giants like Google, Facebook, and AWS are known to leverage bug bounty programs to run tests and find vulnerabilities in their programs. According to reports, Google has paid out over US$6.7 million in bug bounty rewards last year to 662 security researchers across 62 countries.

APAC bug bounty efforts

Facebook paid a US$ 30,000 bounty reward to a computer engineering student in India after he reported a bug on Instagram that allows a malicious user to view targeted media on the app.

Another 20-year-old self-taught cybersecurity expert in India also earned US$ 30,000 from Microsoft after she discovered a remote code execution (RCE) bug in Azure’s cloud platform. RCE is a critical vulnerability that is considered to have a high impact on a system’s security.

Over in Southeast Asia, Lazada launched its bug bounty program by offering security researchers up to US$10,000 per bounty. E-hailing giant Grab started a private bug bounty program in 2017 before moving it to an open program last year after much success.

These moves showcase how serious businesses are in ensuring their products and services are not compromised.

Last year, the Singaporean government paid out US$30,800 to ethical hackers after they discovered 33 security vulnerabilities across 13 public government Information and Communication Technology (ICT) systems, digital services, and mobile applications with high end-user touchpoints. The vulnerabilities discovered allowed the government to better improve its government systems.

Over in Australia, the National Australia Bank (NAB) launched a bug bounty program partnered with a crowdsourced security company, Bugword. First of its kind in Australian banking, the bounty will be for vetted security researchers who have previously uncovered undisclosed vulnerabilities in NAB’s environment.

Bug bounties and cybersecurity: are they the same?

According to the 2020 CrowdStrike Asia Pacific and Japan (APJ) State of Cybersecurity Report, 74% of APAC business leaders listed enhancements of cybersecurity measures as a priority for additional investment, while 65% are expecting IT budgets to increase, despite the effects of the COVID-19 pandemic.

While the technology is available, the main concern is finding skilled talents to work with them. The Asia Pacific is still experiencing a shortage of skilled IT workers, especially in cybersecurity.

However, bug bounty programs are not a shortcut to having a robust cybersecurity profile.

Bug bounty hunters only look for weaknesses or vulnerabilities in existing systems but do not offer preventative cybersecurity protection. Organizations will still need to get their respective cybersecurity vendors to fix these issues.

So what can companies do?

As these experts cannot provide preventative cybersecurity measures, companies will still need to invest in proper cybersecurity measures.

Because skilled IT talent is in high demand, not every company will have the right cybersecurity expertise to run checks on their programs for bugs. And in most cases, these bugs are often hidden or disguised. Ethical hackers usually shine in this area, as they have an upper hand at recognizing most of these bugs and vulnerabilities, and thus expose them more easily.

For their expertise and skill, remuneration for their services tend to be very lucrative. In fact, a report showed that top ethical hackers can earn up to US$100,000 in bounties from such programs.

Interestingly, these ethical hackers are also known for their honesty. There’s a hidden code amongst ethical hackers when it comes to bug bounty programs — which is to not plant other bugs in the system.

As demand for skilled tech talents continues increasing, more companies will find that bounty programs can be a cost-effective and efficient way to boost their cybersecurity systems.