While we’re happy that crowdsourced security programs are attracting positive media attention, it’s important to point out that a Vulnerability Disclosure Program (VDP) isn’t a bug bounty, and a bug bounty isn’t a VDP. Both allow for coordinated disclosure between companies and researchers, but there are some stark differences between the two:
- A bug bounty program pays monetary rewards to researchers who submit valid vulnerability reports – a VDP does not. If a security program uses crowdsourcing to find vulnerabilities, and then rewards them (SWAG or monetarily) then it’s a bug bounty.
- The intent of each is different. The goal of a VDP is to offer researchers protection, a standardized process, and set guidelines for disclosing a vulnerability. It’s not an invitation to hack, but rather “if you see something, please say something, and here’s how to do that”. The goal of a bug bounty program is to invite researchers to test specific target(s), submit vulnerabilities, and get paid for their work.
As industry and public attention around security programs that use crowdsourced vulnerability identification continues to increase, it’s important to ensure that VDP and bug bounty are not confused or used interchangeably.