To cure their woes, the bug bounty industry should look no further than risk pooling.

As the political climate heats up, so does thenew era for cyberwarfare. In recent history, nation statessupplemented military conflict with attacks on digitalinfrastructure to either gather intelligence or cause outages, butnow with their high impact and versatile usage, there is morereason to include cyber attacks not only before, but during andafter conflicts. Actually, there is no reason to stop. In order tomaximize effectiveness, cyber attackers target not onlygovernment-owned equipment, but banks, transport and infrastructureto cause damage. Securing one set of systems is already achallenge, and now we have a problem of securing an entire nation'ssystems.

One place to start is to rewardthe good guys who find vulnerabilities and report them.

The phrase “bug bounty” has gonemainstream as Microsoft, Google, Facebook, General Motors and evenStarbucks have turned to the crowd for help in fixing securityproblems. But for all the success that some have achieved withtheir bug bounty programs, others — like Apple and DJI — have run into trouble. And that'sconsidering companies that have introduced these programs in thefirst place; at most organizations, the bug bounty adoption curveis virtually non-existent.

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

  • All news coverage, best practices, and in-depth analysis.
  • Educational webcasts, resources from industry leaders, and informative newsletters.
  • Other award-winning websites including and

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.