Bug Bounty Programs and Why They Are Important


By Jack Warner

Bug bounty is the term used to describe the reward paid out to developers who find critical flaws in a piece of software or website. Simply put, bug bounty programs offer prizes to white-hat hackers who can find vulnerabilities in an application. Prizes can be in the form of monetary rewards, recognition, gear from the company offering the bounty, or all of the above. Bug bounties allow companies to find and fix security flaws before they become a problem. 

How Bug Bounty Programs Work 

Anyone with the technical knowhow can make money via bug bounty programs, but it’s not as easy as it sounds. Usually, bug bounty programs have strict rules which researchers need to adhere to in order for their submissions to be accepted or considered for the reward. For instance, the developer is not allowed to share information about any bugs they find with anyone until the company has been informed. This rule allows the company to fix the problem before people know it’s there. 

Additionally, researchers must not break any laws in the process of finding bugs in an application. The company offering the bug bounty has discretionary control over the rewards and can choose not to reward flaws it deems to be insignificant. When it comes to opensource software, any interested individual is free to comb through the code in search of bugs. Many companies maintain a page where they prominently display the names of developers who have found bugs in their application and submitted to them responsibly. 

Benefits of Bug Bounties 

Bug bounty programs help companies to find and fix security flaws before hackers beat them to it. That’s the main objective of running a bug bounty program. Bug bounties offer an alternative method of detecting mistakes that slip through the cracks and cause major issues at a later stage. White-hat hackers probably know the psychology of cybercriminals and understand their craft better than anyone and are a company’s best chance at finding potential security flaws, fighting fire with fire. 

For ethical hackers, bug bounty programs add value to their expertise and give them an excellent opportunity to monetize skills. The amount a hacker receives for payment after finding and submitting a bug varies depending on the company the severity of the bug, the amount of information provided, and the company offering the bounty. In 2012, Vasilis Pappas received $200,000 from Microsoft for identifying a security flaw and developing a program to fix it.

Vested Interest

Bug bounty programs allow companies to get ahead of the game by revealing security vulnerabilities before bad guys have a chance to exploit them. While it’s always a good idea for all tech companies to have a bug bounty program, bug bounties are especially important to the VPN industry. Seeing as they are in the business of cybersecurity, Virtual Private Network (VPN) providers have a vested interest in ensuring the quality of their products and the security of their users. 

How to Participate

Do you have what it takes to become a bug hunter? Join ExpressVPN’s bug bounty program to participate. ExpressVPN operates thousands of VPN servers and makes cross-platform VPN applications for all major operating systems as well as routers and browser extensions. The company has been offering an in-house bug bounty program since 2016 and has awarded tens of thousands of dollars to security researchers. The VPN provider takes the security of its applications seriously and is always looking for ways to improve services. 

ExpressVPN’s bug bounty program requires researchers to focus on finding security flaws that weaken, break, or otherwise subvert the company’s VPN communications in a way that exposes the traffic of their users. This includes vulnerabilities that expose customer data to unauthorized persons, security weaknesses in ExpressVPN’s client applications, and any kind of unauthorized access to the company’s VPN servers. As we stated earlier in the article, all bug bounty programs have rules. 

ExpressVPN is no different. The rules are pretty standard. For instance, researchers should keep details of any vulnerabilities they discover confidential until they are fixed. Do not violate the privacy of others, destroy data, disrupt systems, or harm user experience when fine-combing their code. Use only official communication channels to discuss vulnerability information with the company. If you’d like to become a bug hunter at ExpressVPN, the company asks that you play by these rules.


Jack Warner is an accomplished cybersecurity expert with years of experience under his belt at TechWarn, a trusted digital agency to world-class cybersecurity companies. A passionate digital safety advocate himself, Jack frequently contributes to tech blogs and digital media sharing expert insights on cybersecurity and privacy tools.


Follow Brilliance Security Magazine on Twitter, Facebook, and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.