News

Corben Leo (left) and Jarod Keene
Corben Leo (left) and Jarod Keene recently participated in a live bug bounty program. Leo found one of the eight vulnerabilities in the unnamed company’s system.

Students score at Bug Bounty competition

Beacom College of Computer and Cyber Sciences

A bug bounty program is “kind of like a scavenger hunt for computer bugs,” said Corben Leo, a Dakota State University computer science major from Champlin, Minn.

Some bounty programs are ongoing online contests; Leo was invited to a live bug bounty event in early October. Despite having only about four days’ notice, he was excited to attend, and invited Jarod Keene to join him as his “plus one.”

Keene, a cyber operations major from Rapid City, S.D., jumped at the chance to go along to his first bug bounty event. “It was like solving a big puzzle,” he said.

Bug bounty programs, live or online, are becoming more common, the two said, and are sponsored by companies like Yahoo, Google, Oath, Tesla, or government agencies like the Department of Defense. The companies will open source their security and allow hackers – called researchers – to get into the systems and find vulnerabilities, said Leo. These researchers are paid for any vulnerabilities – or bugs – they find.

“I think companies are starting to see how much it costs when they don’t find the bugs,” Keene said, citing examples of companies which have paid millions in fines as a consequence of a breach, when they could have paid researchers only a few thousand dollars to find them.

“Companies can really save money if they stop a breach before it happens,” he stated. Leo agreed.

“Companies don’t have anything to lose from these programs, but bugs can hurt them in the long run,” he said. Bug bounty programs are a “win” for all parties, Leo added. “The companies get their vulnerabilities fixed, the users are protected, and researchers can make a living,” as he knows people who are full-time bug busters.

Leo has participated in several himself. “I plan to do this forever.”

Eight bugs were found in the system of the unnamed company that sponsored this live event, including one that Leo found. It’s satisfying to find them, he admits, but meeting the people is the best takeaway. About 40 researchers attended the Miami, Florida event. “You meet some people who you can learn from,” Leo said, “and some who you can mentor.”

Besides these networking opportunities, Keene learned about the framework of bug busting, the technologies that are used, and the reporting process. The researchers start the day-long competition independently, but some collaboration takes place, he said. Some of the competition is gamified, with a leader board, cash prizes, and interactive challenges.

Knowledge of coding is beneficial, they both agreed, but it’s almost more important to have a good conceptual understanding of how web technologies work. “That’s most of the bug bounty program,” Keene said, knowing the technologies used to request and post information.