Commentary: Bug Bounty Hunters Capture Security Risks

This commentary first appeared on the Tech Blog of the California Department of Technology.

California is using crowdsourced testing to find vulnerabilities in state apps to stop security breaches before they happen. The state offers a financial incentive, known as a “bug bounty,” to encourage ethical hackers to test new products in a controlled environment.

The testers, or “bounty hunters,” find and report bugs before bad actors can discover and exploit them. Outside of California, several government organizations have embraced the concept of crowdsourced security testing, including Hack DHS, Hack the Pentagon, Iowa, and numerous tech firms around the globe.

Throughout the pandemic, California’s government tech community quickly rolled out app-based products. The bug bounty model enabled us to scale up testing engagements on demand. We started with a select group of about 100 testers, and 100 percent of the bugs they found were verified. As a result of their efforts, we plugged the security holes by providing developer teams with the steps to make fixes at the protection layer in front of the applications.

By using crowdsourced security testing and bug bounty incentives, we ensure all possible paths and pages of an application are tested. The model also serves as an additional check and balance on a continuous basis when a security bug is introduced. Our goal is to keep this valuable tool in our tool chest at a smaller scale during initial trials and expand it as we help state organizations discover and remediate their own findings.