What Hackers Want More Than Cash When They Report Bugs

It’s more important for most internet security researchers that companies stay in regular contact with them about fixing the hackable vulnerabilities they find in software systems than the companies pay them for the bug reports, a federal agency reported Thursday.

Only about one-fifth of internet security researchers, known as white-hat hackers, expect payment in exchange for discovering software vulnerabilities, according to the survey conducted by the Commerce Department’s National Telecommunications and Information Administration.

By contrast, 70 percent of white hats expect regular updates about how a company is fixing a vulnerability and 57 percent want to be able to test the vulnerability to ensure it’s properly patched.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Cash payments for vulnerability disclosures, known as bug bounties, have become increasingly popular among software companies and major organizations, including the Defense Department. Many smaller organizations and nontech firms have been slow to adopt such programs, however. 

The survey included about 400 security researchers, about half of whom were from the U.S.

The survey found more than 90 percent of security researchers attempt to disclose vulnerabilities to companies directly rather than releasing them publicly, but many are frustrated by messy disclosure programs, poor communication from companies or companies that threaten to sue them.

Security researchers are often vulnerable to legal action under the Digital Millennium Copyright Act, the Computer Fraud and Abuse Act, or state laws.

A full 60 percent of respondents said they’d consider not working with a company to fix a computer vulnerability because they fear legal repercussions.